`
javazeke
  • 浏览: 86931 次
  • 性别: Icon_minigender_1
  • 来自: 苏州
社区版块
存档分类
最新评论

Ldap之活动目录之userAccountControl

阅读更多

When you open the properties for a user account, click the Account tab, and then either select or clear the check boxes in the Account options dialog box, numerical values are assigned to the UserAccountControl attribute. The value that is assigned to the attribute tells Windows which options have been enabled.

To view user accounts, click Start , point to Programs , point to Administrative Tools , and then click Active Directory Users and Computers .

 

You can view and edit these attributes by using either the Ldp.exe tool or the Adsiedit.msc snap-in.

The following table lists possible flags that you can assign. You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service. Note that Ldp.exe shows the values in hexadecimal. Adsiedit.msc displays the values in decimal. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).

Note You can directly edit Active Directory in both Ldp.exe and Adsiedit.msc. Only experienced administrators should use these tools to edit Active Directory. Both tools are available after you install the Support tools from your original Windows installation media.

Collapse this table Expand this table
Property flag Value in hexadecimal Value in decimal
SCRIPT 0x0001 1
ACCOUNTDISABLE 0x0002 2
HOMEDIR_REQUIRED 0x0008 8
LOCKOUT 0x0010 16
PASSWD_NOTREQD 0x0020 32
PASSWD_CANT_CHANGE
Note You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the "Property flag descriptions" section.
0x0040 64
ENCRYPTED_TEXT_PWD_ALLOWED 0x0080 128
TEMP_DUPLICATE_ACCOUNT 0x0100 256
NORMAL_ACCOUNT 0x0200 512
INTERDOMAIN_TRUST_ACCOUNT 0x0800 2048
WORKSTATION_TRUST_ACCOUNT 0x1000 4096
SERVER_TRUST_ACCOUNT 0x2000 8192
DONT_EXPIRE_PASSWORD 0x10000 65536
MNS_LOGON_ACCOUNT 0x20000 131072
SMARTCARD_REQUIRED 0x40000 262144
TRUSTED_FOR_DELEGATION 0x80000 524288
NOT_DELEGATED 0x100000 1048576
USE_DES_KEY_ONLY 0x200000 2097152
DONT_REQ_PREAUTH 0x400000 4194304
PASSWORD_EXPIRED 0x800000 8388608
TRUSTED_TO_AUTH_FOR_DELEGATION 0x1000000 16777216


Note In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed. For more information about this new attribute, visit the following Web site:

http://msdn2.microsoft.com/en-us/library/ms677840.aspx (http://msdn2.microsoft.com/en-us/library/ms677840.aspx)

Property flag descriptions

<script type="text/javascript"> loadTOCNode(2, 'moreinformation'); </script>

  • SCRIPT - The logon script will be run.
  • ACCOUNTDISABLE - The user account is disabled.
  • HOMEDIR_REQUIRED - The home folder is required.
  • PASSWD_NOTREQD - No password is required.
  • PASSWD_CANT_CHANGE - The user cannot change the password. This is a permission on the user's object. For information about how to programmatically set this permission, visit the following Web site:
    http://msdn2.microsoft.com/en-us/library/aa746398.aspx (http://msdn2.microsoft.com/en-us/library/aa746398.aspx)
  • ENCRYPTED_TEXT_PASSWORD_ALLOWED - The user can send an encrypted password.
  • TEMP_DUPLICATE_ACCOUNT - This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account.
  • NORMAL_ACCOUNT - This is a default account type that represents a typical user.
  • INTERDOMAIN_TRUST_ACCOUNT - This is a permit to trust an account for a system domain that trusts other domains.
  • WORKSTATION_TRUST_ACCOUNT - This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.
  • SERVER_TRUST_ACCOUNT - This is a computer account for a domain controller that is a member of this domain.
  • DONT_EXPIRE_PASSWD - Represents the password, which should never expire on the account.
  • MNS_LOGON_ACCOUNT - This is an MNS logon account.
  • SMARTCARD_REQUIRED - When this flag is set, it forces the user to log on by using a smart card.
  • TRUSTED_FOR_DELEGATION - When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
  • NOT_DELEGATED - When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
  • USE_DES_KEY_ONLY - (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
  • DONT_REQUIRE_PREAUTH - (Windows 2000/Windows Server 2003) This account does not require Kerberos pre-authentication for logging on.
  • PASSWORD_EXPIRED - (Windows 2000/Windows Server 2003) The user's password has expired.
  • TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts with this option enabled should be tightly controlled. This setting allows a service that runs under the account to assume a client's identity and authenticate as that user to other remote servers on the network.

UserAccountControl values

<script type="text/javascript"> loadTOCNode(2, 'moreinformation'); </script> These are the default UserAccountControl values for the certain objects:

Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)
分享到:
评论
发表评论

文章已被作者锁定,不允许评论。

相关推荐

    LDAP 查询指定目录-所有活动用户

    SELECT sAMAccountName, name, mail, DisplayName FROM 'LDAP://DC=jtc,DC=ad,DC=jtcsoft' WHERE objectClass='user' and objectCategory='person' and ('userAccountControl:1.2.840.113556.1.4.803:'&lt;&gt;2) ORDER BY...

    LDAP Weblogic和AD之间的通信

    标题 "LDAP Weblogic和AD之间的通信" 涉及到的是如何使用轻量级目录访问协议(Lightweight Directory Access Protocol, LDAP)在Weblogic服务器与活动目录(Active Directory, AD)之间建立通信,以实现身份验证和...

    ldap 访问AD测试

    7. 用户账户控制(UserAccountControl, UAC)属性:"UserAccountControl属性说明.txt"会详细解释这个属性在AD中是如何控制用户账户状态的,如是否启用、密码是否过期等。 8. 密码认证:"Using LDAP for Password ...

    LDAP 资料代码实例

    - `userAccountControl`:用户账户控制。 - `userPrincipalName`:用户主体名称。 - `distinguishedName`:唯一名称。 - `whenChanged`:最后修改时间。 - `whenCreated`:创建时间。 - `pwdLastSet`:密码最后设置...

    Python+ldap3_实现操作AD域控.zip

    disable_changes = {'userAccountControl': [(ldap3.MODIFY_REPLACE, [514])] } enable_changes = {'userAccountControl': [(ldap3.MODIFY_REPLACE, [512])] } conn.modify('cn=John Doe,ou=Users,dc=example,dc...

    windows用户基本设置

    微软为管理员提供了多种工具和技术来创建、配置和管理用户账户,其中之一就是通过ADSI(Active Directory Service Interfaces,活动目录服务接口)。ADSI允许管理员以编程方式与目录服务交互,包括Windows操作系统中...

    How to do almost everything In active directory via C#

    - **设置UserAccountControl标志**:控制用户账户的状态和行为。 - **启用用户账户**:启用一个被禁用的用户账户。 - **禁用用户账户**:禁用一个用户账户。 - **解锁用户账户**:解锁因密码错误次数过多而被...

    Howto (Almost) Everything In Active Directory via CSharp.pdf

    - 所有的UserAccountControl标志(all UserAccountControl flags)。 - 启用用户账户(enable a user account)。 - 禁用用户账户(disable a user account)。 - 解锁用户账户(unlock a user account)。 - 重置用户...

    SANS AUD 507 Active Directory Cheat Sheet_1.pdf

    用户账户控制(User Account Control, UAC)是Windows操作系统中用于增强系统安全性的一组功能。UAC属性用以定义用户账户的权限和能力,例如账户是否被禁用、是否需要密码、是否为域控制器账户等。文档中列出的UAC位...

    SANS AUD507 Active Directory Cheat Sheet.pdf

    ### 用户账户控制(UserAccountControl)位值 用户账户控制(UAC)是Windows系统用来增强安全性的一个机制,它通过定义用户账户的特权和行为来控制用户如何与系统交互。在文档中,UAC的位值被用于DSQuery命令来筛选...

    vmanage:VeracrossLDAP实用程序

    日志示例示例: 2015/06/26 10:46:06 Student FirstName LastName, CurrentGrade not found in LDAP Search 启用帐户时,属性useraccountcontrol设置为512 ,禁用帐户时,属性切换为514 。 这些属性来自Active ...

    ADModify.NET下载

    例如,要查找所有状态为“禁用”的用户,你可以设置filter为"(userAccountControl:1.2.840.113556.1.4.803:=2)"。 在压缩包文件中,"readme.txt"通常是提供关于软件的使用指南或注意事项的文档,可能包含安装步骤、...

    openfiler使用说明

    LDAP(轻量目录访问协议)是一种用于集中管理用户身份验证信息的协议。为了更好地管理和控制 NAS 系统的用户,如分组和设置权限等,需要配置并启用 LDAP 协议。 - 在 Web 配置界面中选择 `Services` 标签页,然后...

    Solaris 10 System Administration Essentials

    11.1.2 User Account Components 312 11.1.3 User Management Tools 313 11.1.4 User Management Files 313 11.2 Managing Users and Groups 314 11.2.1 Starting the Solaris Management Console 314 11.2.2 Adding...

Global site tag (gtag.js) - Google Analytics