发表新帖
发表新帖

userAccountControl in Active Directory

后端 未结
关注
3 1536
不要未来只要你来
不要未来只要你来 2021-02-04 14:54

I want to know the current value of the userAccountControl and determine which stage it is in

Ref: http://support.microsoft.com/kb/305144/en-us

According to th

相关标签:
3条回答
  • 名媛妹妹
    2021-02-04 15:14

    Its a bitmap. Each bit in a word is either ON or OFF (0 or 1). Its not really a number its more like a row of switches, each one on or off. Operating systems use them internally because they can manipulate them very quickly by logically comparing them to bitmasks.

    The LDIF representation of the attribute can show the result as a decimal number (equivalent to the binary mumber that would be represented by the mask if it was a number - it isn't really!) And its pretty easy to decode, because basically its made by adding some powers of 2 together.

    For example:

      512 = normal account
  514 = 512 + 2 = normal account, disabled
  546 = 512 + 32 + 2 = normal account, disabled, no password required
 2080 = 2048 + 32 = Interdomain trust, no password required
66048 = 65536 + 512 = normal account. password never expires
66050 = 65536 + 512 + 2 = normal account. password never expires, disabled
66080 = 65536 + 512 + 32 = normal account. password never expires, no password required
    0 讨论(0)
  • 孤独总比滥情好
    2021-02-04 15:15

    You can easily decode this by converting your result to an enum.

    int userAccountControlValue = 544;
UserAccountControl userAccountControl = (UserAccountControl) userAccountControlValue;

// This gets a comma separated string of the flag names that apply.
string userAccountControlFlagNames = userAccountControl.ToString();

// This is how you test for an individual flag.
bool isNormalAccount = (userAccountControl & UserAccountControl.NORMAL_ACCOUNT) == UserAccountControl.NORMAL_ACCOUNT;
bool isAccountDisabled = (userAccountControl & UserAccountControl.ACCOUNTDISABLE) == UserAccountControl.ACCOUNTDISABLE;
bool isAccountLockedOut = (userAccountControl & UserAccountControl.LOCKOUT) == UserAccountControl.LOCKOUT;

    Here's the enum definition that you want:

    /// <summary>
/// Flags that control the behavior of the user account.
/// </summary>
[Flags()]
public enum UserAccountControl : int
{
    /// <summary>
    /// The logon script is executed. 
    ///</summary>
    SCRIPT = 0x00000001,

    /// <summary>
    /// The user account is disabled. 
    ///</summary>
    ACCOUNTDISABLE = 0x00000002,

    /// <summary>
    /// The home directory is required. 
    ///</summary>
    HOMEDIR_REQUIRED = 0x00000008,

    /// <summary>
    /// The account is currently locked out. 
    ///</summary>
    LOCKOUT = 0x00000010,

    /// <summary>
    /// No password is required. 
    ///</summary>
    PASSWD_NOTREQD = 0x00000020,

    /// <summary>
    /// The user cannot change the password. 
    ///</summary>
    /// <remarks>
    /// Note:  You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. 
    /// For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
    // </remarks>
    PASSWD_CANT_CHANGE = 0x00000040,

    /// <summary>
    /// The user can send an encrypted password. 
    ///</summary>
    ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x00000080,

    /// <summary>
    /// This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not 
    /// to any domain that trusts this domain. Also known as a local user account. 
    ///</summary>
    TEMP_DUPLICATE_ACCOUNT = 0x00000100,

    /// <summary>
    /// This is a default account type that represents a typical user. 
    ///</summary>
    NORMAL_ACCOUNT = 0x00000200,

    /// <summary>
    /// This is a permit to trust account for a system domain that trusts other domains. 
    ///</summary>
    INTERDOMAIN_TRUST_ACCOUNT = 0x00000800,

    /// <summary>
    /// This is a computer account for a computer that is a member of this domain. 
    ///</summary>
    WORKSTATION_TRUST_ACCOUNT = 0x00001000,

    /// <summary>
    /// This is a computer account for a system backup domain controller that is a member of this domain. 
    ///</summary>
    SERVER_TRUST_ACCOUNT = 0x00002000,

    /// <summary>
    /// Not used. 
    ///</summary>
    Unused1 = 0x00004000,

    /// <summary>
    /// Not used. 
    ///</summary>
    Unused2 = 0x00008000,

    /// <summary>
    /// The password for this account will never expire. 
    ///</summary>
    DONT_EXPIRE_PASSWD = 0x00010000,

    /// <summary>
    /// This is an MNS logon account. 
    ///</summary>
    MNS_LOGON_ACCOUNT = 0x00020000,

    /// <summary>
    /// The user must log on using a smart card. 
    ///</summary>
    SMARTCARD_REQUIRED = 0x00040000,

    /// <summary>
    /// The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service 
    /// can impersonate a client requesting the service. 
    ///</summary>
    TRUSTED_FOR_DELEGATION = 0x00080000,

    /// <summary>
    /// The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation. 
    ///</summary>
    NOT_DELEGATED = 0x00100000,

    /// <summary>
    /// Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys. 
    ///</summary>
    USE_DES_KEY_ONLY = 0x00200000,

    /// <summary>
    /// This account does not require Kerberos pre-authentication for logon. 
    ///</summary>
    DONT_REQUIRE_PREAUTH = 0x00400000,

    /// <summary>
    /// The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy. 
    ///</summary>
    PASSWORD_EXPIRED = 0x00800000,

    /// <summary>
    /// The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly 
    /// controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to 
    /// other remote servers on the network.
    ///</summary>
    TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x01000000,

    /// <summary>
    /// 
    /// </summary>
    PARTIAL_SECRETS_ACCOUNT = 0x04000000,

    /// <summary>
    /// 
    /// </summary>
    USE_AES_KEYS = 0x08000000
}
    0 讨论(0)
  • 遇见更好的自我
    2021-02-04 15:23
    • 544 = hex 0x220
    • 546 = hex 0x222

    According to this list here, this means:

    0x200 = normal account
0x020 = passwd_notreqd = password not required
0x002 = account disabled

    So

    • a value of 544 (decimal) is 0x220 hex and means: normal account, password not required
    • a value of 546 (decimal) is 0x222 hex and means: normal account, disabled, password not required
    0 讨论(0)
 看不清?
提交回复
热议问题