Thursday, 23 December 2010 06:57

Active Directory UserAccountControl Attribute

Written by

On a day to day work, some or the other time you must have come across the situation where you want to extract the reports like the list of disabled users from Active directory, the list of Active mailbox users in your exchange server etc. Most of us will search for some automated tool to extract the reports. But you do not need any such scripts to extract these reports; the CSVDE command will help you in getting the report.

For e.g. you need the report of all enabled user accounts in your domain, use the below command.

Open command prompt and execute it(note – modify the command with your domain details).

CSVDE -r "(objectClass=user)" -d "dc=ExchangeDictionary,DC=com" -s ExchDicDC01.ExchangeDictionary.com -l displayname,useraccountcontrol  -f c:\UserList.csv

-r :- this place we will give the filter, here I have given the objectClass=user, so the command will only run against the user objects.

-d :- scoping the command, here I have scoped to the entire domain(dc=ExchangeDictionary,DC=com means the domain ExchangeDictionary.com ).  If you want to execute against one OU, you can still do it. Replace this with Ou=”your OU Name”, dc=ExchangeDictionary,DC=com

-s :- specifies the domain controller to which the command to run.

 

-l :- the list of attribute that needs to be extracted for each matching active directory object.

-f :- the output file.

Once you have succefully run the above command, open the output file in excel. Now you may verify the useraccountcontrol value against the below list and filter out the required report.

UserAccountControl  Values

512 - Enable Account

514 - Disable account

544 - Account Enabled - Require user to change password at first logon

4096 - Workstation/server

66048 - Enabled, password never expires

66050 - Disabled, password never expires

66080 – Enables, password never expires, password not required.

532480 - Domain controller

590336 – Enabled, User Cannot Change Password, Password Never Expires

We can view and edit these attributes by using either the Ldp.exe tool or the Adsiedit.msc snap-in. Ldp.exe shows the values in hexadecimal. Adsiedit.msc displays the values in decimal. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).

See the property tag and the corresponding value in decimal


Property flag in hexadecimal in decimal
SCRIPT 0x0001 1
ACCOUNTDISABLE 0x0002 2
HOMEDIR_REQUIRED 0x0008 8
LOCKOUT 0x0010 16
PASSWD_NOTREQD 0x0020 32
PASSWD_CANT_CHANGE 0x0040 64
Note You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the "Property flag descriptions" section.
ENCRYPTED_TEXT_PWD_ALLOWED 0x0080 128
TEMP_DUPLICATE_ACCOUNT 0x0100 256
NORMAL_ACCOUNT 0x0200 512
INTERDOMAIN_TRUST_ACCOUNT 0x0800 2048
WORKSTATION_TRUST_ACCOUNT 0x1000 4096
SERVER_TRUST_ACCOUNT 0x2000 8192
DONT_EXPIRE_PASSWORD 0x10000 65536
MNS_LOGON_ACCOUNT 0x20000 131072
SMARTCARD_REQUIRED 0x40000 262144
TRUSTED_FOR_DELEGATION 0x80000 524288
NOT_DELEGATED 0x100000 1048576
USE_DES_KEY_ONLY 0x200000 2097152
DONT_REQ_PREAUTH 0x400000 4194304
PASSWORD_EXPIRED 0x800000 8388608
TRUSTED_TO_AUTH_FOR_DELEGATION 0x1000000 16777216

Hope this will help you in managing your domain in some or other ways. Send me your comments on this.

Ref - http://support.microsoft.com/kb/305144

-Praveen

theme by reviewshub