Converting AD UserAccountControl Attribute Values

UserAccountManagement is without doubt one of the most necessary attributes of person and pc accounts in Active Directory. This attribute determines the standing of the account within the AD area: whether or not the account is energetic or locked, whether or not the choice of password change on the subsequent logon is enabled, whether or not customers can change their passwords, and so forth. However, not all directors are absolutely conscious of how and for what goal UserAccountManagement attribute is utilized in AD.

Open the properties of any AD account within the Active Directory Users and Computers (ADUC) console and go to the Account tab. Please, take note of the group of person attributes within the Account Options part. Here you may see the next choices:

  • User should change password at subsequent logon;
  • User can’t change password;
  • Password by no means expires;
  • Store password utilizing reversible encryption ();
  • Account is disabled;
  • Smart card is required for interactive logon;
  • Account is delicate and can’t be delegated;
  • Use Kerberos DES encryption sorts for this account;
  • This account helps Kerberos AES 128/256 bit encryption;
  • Do not require Kerberos Preauthentication.

AD user account options - UserAccountControl

Each of those person account attributes is actually a bit worth that may be within the state 1 (True) or zero (False). However, these values are usually not saved as separate AD attributes, the UserAccountManagement attribute is used as an alternative.


  • UserAccountManagement as an Active Directory Attribute
  • PowerShell script to decode UserAccountManagement worth

UserAccountManagement as an Active Directory Attribute

The whole worth of all choices specified above is stored within the worth of UserAccountManagement attribute, i. e. as an alternative of storing all these choices in numerous attributes, a single Active Directory attribute is used. UserAccountManagement is a bit masks with each bit being a separate flag and having a special worth (enabled or disabled). So relying on the enabled account choices a person could have completely different UserAccountManagement attribute values. You can see the present worth of the attribute within the corresponding Attribute Editor tab or utilizing cmdlet in PowerShell:

get-aduser jkelly -properties *|choose title,UserAccountManagement | ft

get-aduser UserAccountControl value

UserAccountControl value in ad attribute editor

In this instance the worth of the attribute is 0x10202 (decimal worth is 66050). What do these numbers imply?

The desk of accessible flags of AD accounts is given beneath. Each flag corresponds to a sure UserAccountManagement bit, and UserAccountManagement worth equals to the sum of all flags.

UserAccountManagement Flag HEX Value Decimal Value
SCRIPT (Running the logon script) 0x0001 1
ACCOUNTDISABLE (The account is disabled) 0x0002 2
HOMEDIR_REQUIRED (The house folder is required) 0x0008 eight
LOCKOUT (The account is locked) 0x0010 16
PASSWD_NOTREQD (No password is required) 0x0020 32
PASSWD_CANT_CHANGE (Prevent person from altering password) 0x0040 64
ENCRYPTED_TEXT_PWD_ALLOWED (Store password utilizing reversible encryption) 0x0080 128
TEMP_DUPLICATE_ACCOUNT (An account of a person, whose main account is in one other area) 0x0100 256
NORMAL_ACCOUNT (A default account, a typical energetic account) 0x0200 512
DONT_EXPIRE_PASSWORD (person accounts with passwords that don’t expire) 0x10000 65536
MNS_LOGON_ACCOUNT 0x20000 131072
SMARTCARD_REQUIRED (To go browsing to the community, the person wants a wise card) 0x40000 262144
NOT_DELEGATED 0x100000 1048576
USE_DES_KEY_ONLY 0x200000 2097152
DONT_REQ_PREAUTH (Kerberos pre-authentication just isn’t required) 0x400000 4194304
PASSWORD_EXPIRED (The person password has expired) 0x800000 8388608
PARTIAL_SECRETS_ACCOUNT 0x04000000 67108864

For instance, there’s a common account for which the requirement to alter the password is disabled. The personAccountManagement worth is calculated as follows:


So the worth of personAccountManagement from my instance (66050) was obtained as follows:


A locked person account has 514 as a personAccountManagement worth:


Default UserAccountManagement values for typical area objects:

  1. An everyday AD person: 0x200 (512);
  2. A website controller: 0x82000 (532480);
  3. A workstation/server: 0x1000 (4096).

Using some filters, you may choose from the AD objects with a sure useraccountcontrol worth. For instance, to show all energetic (regular) accounts:

Get-ADUser -Properties * -ldapFilter "(useraccountcontrol=512)"

Display the record of all locked accounts:

Get-ADUser -Properties * -ldapFilter "(useraccountcontrol=514)"

The record of accounts with a non-expiring password oprions:

Get-ADUser -Properties * -ldapFilter "(useraccountcontrol=66048)"

You can sum the mandatory bits from the desk and choose AD objects utilizing these instructions:

$UserAccountControl_hex= 0x10000 + 0x0080 + 0x200000
Get-ADUser -Filter

PowerShell script to decode UserAccountManagement worth

To make it extra handy, I need to have a instrument to mechanically converts the worth of UserAccountManagement bit masks into human-transparent type. Let’s attempt to write a easy PowerShell operate that takes the decimal worth of UserAccountManagement attribute and returns the record of enabled choices of the account. Since UserAccountManagement is a bit masks, you may assign a textual content description to every bit.

I wrote this PowerShell operate DecodeUserAccountManagement to transform UserAccountManagement worth right into a readable piece of data:

Function DecodeUserAccountManagement ([int]$UAC)
Return $Attributes

Let’s examine what worth 66050 of UserAccountManagement means:

DecodeUserAccountManagement 66050

As you may see, the script has returned that the next attributes are enabled for this person:


DecodeUserAccountControl PowerShell function

The identical script can be utilized to decode the UserAccountManagement values on the fly when getting the details about AD accounts within the handy type utilizing Get-AdvertUser or cmdlets, for instance:

get-aduser ms-pam -properties *|choose @


get-adcomputer rome-dc01 -properties *|choose @


get-adcomputer with DecodeUserAccountControl

Check Also

RDP Brute Force Protection with PowerShell and Windows Firewall Rules

I’ve had an thought to write down a easy PowerShell script to routinely block (blacklist) …

Leave a Reply

Your email address will not be published. Required fields are marked *