none
useraccountcontrol code RRS feed

  • Question

  • Hi Team,

    We have a .Net tool using which we pull a report from our domain. We have below codes under useraccountcontrol for which i am not aware of. Need help

    524800

    590336

    590338

    2163202

    2621954

    2687490

    4260384

    16843264

    16843266

     

    Regards,

    Santhosh B S


     

    Regards, Santhosh B S

    Tuesday, September 11, 2018 10:44 AM

All replies

  • The userAccountControl attribute is a flag attribute, where every bit of the integer value represents a different setting. You test each bit by "And"ing the value with a bit mask, resulting in either True or False. Using a VBScript I coded long ago, I got the following (each setting separated by commas):

    524800: Default account for typical user,Service account under which a service runs, trusted for Kerberos
    590336: Default account for typical user,Password does not expire,Service account under which a service runs, trusted for Kerberos
    590338: User account disabled,Default account for typical user,Password does not expire,Service account under which a service runs, trusted for Kerberos
    2163202: User account disabled,Default account for typical user,Password does not expire,Must use DES encryption types for keys
    2621954: User account disabled,Default account for typical user,Service account under which a service runs, trusted for Kerberos,Must use DES encryption types for keys
    2687490: User account disabled,Default account for typical user,Password does not expire,Service account under which a service runs, trusted for Kerberos,Must use DES encryption types for keys
    4260384: No password required,Default account for typical user,Password does not expire,Account does not require Kerberos preauthenication for logon
    16843264: Default account for typical user,Password does not expire,Account enabled for delegation
    16843266: User account disabled,Default account for typical user,Password does not expire,Account enabled for delegation
    

    The script I used, with an array of the values you specified, follows:

    ' UserAcctCntrl.vbs
    Option Explicit
    
    Dim lngValue, Values, strSettings
    
    Values = Array(524800,590336,590338,2163202,2621954,2687490,4260384,16843264,16843266)
    
    For Each lngValue In Values
        strSettings = GetFlags(lngValue)
        Wscript.Echo CStr(lngValue) & ": " & strSettings
    Next
    
    Function GetFlags(ByVal lngFlag)
        ' Function to read bits of userAccountControl attribute.
    
        ' Define bit masks.
        Const ADS_UF_ACCOUNTDISABLE = &H02
        Const ADS_UF_HOMEDIR_REQUIRED = &H08
        Const ADS_UF_LOCKOUT = &H10
        Const ADS_UF_PASSWD_NOTREQD = &H20
        Const ADS_UF_PASSWD_CANT_CHANGE = &H40
        Const ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = &H80
        Const ADS_UF_TEMP_DUPLICATE_ACCOUNT = &H100
        Const ADS_UF_NORMAL_ACCOUNT = &H200
        Const ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = &H800
        Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &H1000
        Const ADS_UF_SERVER_TRUST_ACCOUNT = &H2000
        Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
        Const ADS_UF_MNS_LOGON_ACCOUNT = &H20000
        Const ADS_UF_SMARTCARD_REQUIRED = &H40000
        Const ADS_UF_TRUSTED_FOR_DELEGATION = &H80000
        Const ADS_UF_NOT_DELEGATED = &H100000
        Const ADS_UF_USE_DES_KEY_ONLY = &H200000
        Const ADS_UF_DONT_REQUIRE_PREAUTH = &H400000
        Const ADS_UF_PASSWORD_EXPIRED = &H800000
        Const ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = &H1000000
    
        GetFlags = ""
    
        If (lngFlag And ADS_UF_ACCOUNTDISABLE) <> 0 Then
            GetFlags = GetFlags & "," & "User account disabled"
        End If
        If (lngFlag And ADS_UF_HOMEDIR_REQUIRED) <> 0 Then
            GetFlags = GetFlags & "," & "Home directory required"
        End If
        If (lngFlag And ADS_UF_LOCKOUT) <> 0 Then
            GetFlags = GetFlags & "," & "Account currently locked out"
        End If
        If (lngFlag And ADS_UF_PASSWD_NOTREQD) <> 0 Then
            GetFlags = GetFlags & "," & "No password required"
        End If
        If (lngFlag And ADS_UF_PASSWD_CANT_CHANGE) <> 0 Then
            GetFlags = GetFlags & "," & "User cannot change password"
        End If
        If (lngFlag And ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED) <> 0 Then
            GetFlags = GetFlags & "," & "User can send an encrypted password"
        End If
        If (lngFlag And ADS_UF_TEMP_DUPLICATE_ACCOUNT) <> 0 Then
            GetFlags = GetFlags & "," & "Account for user in another domain (local user account)"
        End If
        If (lngFlag And ADS_UF_NORMAL_ACCOUNT) <> 0 Then
            GetFlags = GetFlags & "," & "Default account for typical user"
        End If
        If (lngFlag And ADS_UF_INTERDOMAIN_TRUST_ACCOUNT) <> 0 Then
            GetFlags = GetFlags & "," & "A ""permit to trust"" account for a domain that ""trusts"" other domains"
        End If
        If (lngFlag And ADS_UF_WORKSTATION_TRUST_ACCOUNT) <> 0 Then
            GetFlags = GetFlags & "," & "Computer account"
        End If
        If (lngFlag And ADS_UF_SERVER_TRUST_ACCOUNT) <> 0 Then
            GetFlags = GetFlags & "," & "Computer account for system backup domain controller"
        End If
        If (lngFlag And ADS_UF_DONT_EXPIRE_PASSWD) <> 0 Then
            GetFlags = GetFlags & "," & "Password does not expire"
        End If
        If (lngFlag And ADS_UF_MNS_LOGON_ACCOUNT) <> 0 Then
            GetFlags = GetFlags & "," & "MNS logon account"
        End If
        If (lngFlag And ADS_UF_SMARTCARD_REQUIRED) <> 0 Then
            GetFlags = GetFlags & "," & "User must logon using a smart card"
        End If
        If (lngFlag And ADS_UF_TRUSTED_FOR_DELEGATION) <> 0 Then
            GetFlags = GetFlags & "," & "Service account under which a service runs, trusted for Kerberos"
        End If
        If (lngFlag And ADS_UF_NOT_DELEGATED) <> 0 Then
            GetFlags = GetFlags & "," & "Security context will not be delegated to a service"
        End If
        If (lngFlag And ADS_UF_USE_DES_KEY_ONLY) <> 0 Then
            GetFlags = GetFlags & "," & "Must use DES encryption types for keys"
        End If
        If (lngFlag And ADS_UF_DONT_REQUIRE_PREAUTH) <> 0 Then
            GetFlags = GetFlags & "," & "Account does not require Kerberos preauthenication for logon"
        End If
        If (lngFlag And ADS_UF_PASSWORD_EXPIRED) <> 0 Then
            GetFlags = GetFlags & "," & "User password has expired"
        End If
        If (lngFlag And ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION) <> 0 Then
            GetFlags = GetFlags & "," & "Account enabled for delegation"
        End If
    
        If (Len(GetFlags) > 1) Then
            GetFlags = Mid(GetFlags, 2)
        End If
    
    End Function
    


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, September 11, 2018 4:25 PM