UserAccountManagement is without doubt one of the most necessary attributes of person and pc accounts in Active Directory. This attribute determines the standing of the account within the AD area: whether or not the account is energetic or locked, whether or not the choice of password change on the subsequent logon is enabled, whether or not customers can change their passwords, and so forth. However, not all directors are absolutely conscious of how and for what goal UserAccountManagement attribute is utilized in AD.
Open the properties of any AD account within the Active Directory Users and Computers (ADUC) console and go to the Account tab. Please, take note of the group of person attributes within the Account Options part. Here you may see the next choices:
- User should change password at subsequent logon;
- User can’t change password;
- Password by no means expires;
- Store password utilizing reversible encryption ();
- Account is disabled;
- Smart card is required for interactive logon;
- Account is delicate and can’t be delegated;
- Use Kerberos DES encryption sorts for this account;
- This account helps Kerberos AES 128/256 bit encryption;
- Do not require Kerberos Preauthentication.
Each of those person account attributes is actually a bit worth that may be within the state 1 (True) or zero (False). However, these values are usually not saved as separate AD attributes, the UserAccountManagement attribute is used as an alternative.
- UserAccountManagement as an Active Directory Attribute
- PowerShell script to decode UserAccountManagement worth
UserAccountManagement as an Active Directory Attribute
The whole worth of all choices specified above is stored within the worth of UserAccountManagement attribute, i. e. as an alternative of storing all these choices in numerous attributes, a single Active Directory attribute is used. UserAccountManagement is a bit masks with each bit being a separate flag and having a special worth (enabled or disabled). So relying on the enabled account choices a person could have completely different UserAccountManagement attribute values. You can see the present worth of the attribute within the corresponding Attribute Editor tab or utilizing cmdlet in PowerShell:
get-aduser jkelly -properties *|choose title,UserAccountManagement | ft
In this instance the worth of the attribute is 0x10202 (decimal worth is 66050). What do these numbers imply?
The desk of accessible flags of AD accounts is given beneath. Each flag corresponds to a sure UserAccountManagement bit, and UserAccountManagement worth equals to the sum of all flags.
|UserAccountManagement Flag||HEX Value||Decimal Value|
|SCRIPT (Running the logon script)||0x0001||1|
|ACCOUNTDISABLE (The account is disabled)||0x0002||2|
|HOMEDIR_REQUIRED (The house folder is required)||0x0008||eight|
|LOCKOUT (The account is locked)||0x0010||16|
|PASSWD_NOTREQD (No password is required)||0x0020||32|
|PASSWD_CANT_CHANGE (Prevent person from altering password)||0x0040||64|
|ENCRYPTED_TEXT_PWD_ALLOWED (Store password utilizing reversible encryption)||0x0080||128|
|TEMP_DUPLICATE_ACCOUNT (An account of a person, whose main account is in one other area)||0x0100||256|
|NORMAL_ACCOUNT (A default account, a typical energetic account)||0x0200||512|
|DONT_EXPIRE_PASSWORD (person accounts with passwords that don’t expire)||0x10000||65536|
|SMARTCARD_REQUIRED (To go browsing to the community, the person wants a wise card)||0x40000||262144|
|DONT_REQ_PREAUTH (Kerberos pre-authentication just isn’t required)||0x400000||4194304|
|PASSWORD_EXPIRED (The person password has expired)||0x800000||8388608|
For instance, there’s a common account for which the requirement to alter the password is disabled. The personAccountManagement worth is calculated as follows:
NORMAL_ACCOUNT (512) + DONT_EXPIRE_PASSWORD (65536) = 66048
So the worth of personAccountManagement from my instance (66050) was obtained as follows:
NORMAL_ACCOUNT (512) + DONT_EXPIRE_PASSWORD (65536) + ACCOUNTDISABLE (2) = 66050
A locked person account has 514 as a personAccountManagement worth:
(NORMAL_ACCOUNT (512)+ ACCOUNTDISABLE (2) = 514
Default UserAccountManagement values for typical area objects:
- An everyday AD person: 0x200 (512);
- A website controller: 0x82000 (532480);
- A workstation/server: 0x1000 (4096).
Using some filters, you may choose from the AD objects with a sure useraccountcontrol worth. For instance, to show all energetic (regular) accounts:
Get-ADUser -Properties * -ldapFilter "(useraccountcontrol=512)"
Display the record of all locked accounts:
Get-ADUser -Properties * -ldapFilter "(useraccountcontrol=514)"
The record of accounts with a non-expiring password oprions:
Get-ADUser -Properties * -ldapFilter "(useraccountcontrol=66048)"
You can sum the mandatory bits from the desk and choose AD objects utilizing these instructions:
$UserAccountControl_hex= 0x10000 + 0x0080 + 0x200000
PowerShell script to decode UserAccountManagement worth
To make it extra handy, I need to have a instrument to mechanically converts the worth of UserAccountManagement bit masks into human-transparent type. Let’s attempt to write a easy PowerShell operate that takes the decimal worth of UserAccountManagement attribute and returns the record of enabled choices of the account. Since UserAccountManagement is a bit masks, you may assign a textual content description to every bit.
I wrote this PowerShell operate DecodeUserAccountManagement to transform UserAccountManagement worth right into a readable piece of data:
Function DecodeUserAccountManagement ([int]$UAC)
Let’s examine what worth 66050 of UserAccountManagement means:
As you may see, the script has returned that the next attributes are enabled for this person:
ACCOUNTDISABLE | NORMAL_ACCOUNT | DONT_EXPIRE_PASSWORD
The identical script can be utilized to decode the UserAccountManagement values on the fly when getting the details about AD accounts within the handy type utilizing Get-AdvertUser or cmdlets, for instance:
get-aduser ms-pam -properties *|choose @
ACCOUNTDISABLE | NORMAL_ACCOUNT | DONT_EXPIRE_PASSWORD
get-adcomputer rome-dc01 -properties *|choose @
SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION