Recipe 15.7. Setting a Domain User s Account Options

Previous page
Table of content
Next page

Recipe 15.7. Setting a Domain User's Account Options

Problem

You want to view or update the userAccountControl attribute for a domain user. This attribute controls various account options, such as when the user must change his password at next logon and whether the account is disabled.

Solution

Using a graphical user interface

  1. Open the Active Directory Users and Computers snap-in (dsa.msc).

  2. In the left pane, right-click on the domain and select Find.

  3. Select the appropriate domain beside In.

  4. Beside Name, type the name of the user and click Find Now.

  5. In the Search Results, double-click on the user.

  6. Select the Account tab.

  7. Many of the userAccountControl flags can be set under Account options.

  8. Click OK after you're done.

Using a command-line interface

The dsmod user command has several options for setting various userAccountControl flags as shown in Table 15-1. Each switch accepts yes or no as a parameter to either enable or disable the setting.

Using VBScript
' This code enables or disables a bit value in the userAccountControl attr. ' ------ SCRIPT CONFIGURATION ------ strUserDN = "<UserDN>"     ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com intBit = <BitValue>        ' e.g. 65536 boolEnable = <TrueOrFalse> ' e.g. TRUE ' ------ END CONFIGURATION --------- strAttr = "userAccountControl" set objUser = GetObject("LDAP://" & strUserDN) intBitsOrig = objUser.Get(strAttr) intBitsCalc = CalcBit(intBitsOrig, intBit, boolEnable) if intBitsOrig <> intBitsCalc then    objUser.Put strAttr, intBitsCalc    objUser.SetInfo    WScript.Echo "Changed " & strAttr & " from " & _                 intBitsOrig & " to " & intBitsCalc else    WScript.Echo "Did not need to change " & strAttr & " (" & _                  intBitsOrig & ")" end if Function CalcBit(intValue, intBit, boolEnable)    CalcBit = intValue    if boolEnable = TRUE then       CalcBit = intValue Or intBit    else       if intValue And intBit then          CalcBit = intValue Xor intBit       end if    end if End Function

Discussion

The userAccountControl attribute on user (and computer) accounts could be considered the kitchen sink of miscellaneous and sometimes completely unrelated user account properties. If you have to do much creating and managing user accounts, you'll need to become intimately familiar with this attribute.

The userAccountControl attribute is a bit flag, which means you have to take a couple extra steps to search against it or modify it. For more on searching and modifying a bit flag attribute, see Recipes 4.10 and 4.13 in Active Directory Cookbook.

The dsmod user command can be used to modify a subset of userAccountControl properties as shown in Table 15-1. Table 15-2 contains the complete list userAccountControl properties as defined in the ADS_USER_FLAG_ENUM enumeration.

Table 15-1. dsmod user options for setting userAccountControl

dsmod user switch

Description

-mustchpwd

Sets whether the user must change password at next logon.

-canchpwd

Sets whether the user can change his password.

-disabled

Set account status to enabled or disabled.

-reversiblepwd

Sets whether the user's password is stored using reversible encryption.

-pwdneverexpires

Sets whether the user's password never expires.


Table 15-2. ADS_USER_FLAG_ENUM values

Name

Value

Description

ADS_UF_SCRIPT

1

Logon script is executed

ADS_UF_ACCOUNTDISABLE

2

Account is disabled

ADS_UF_HOMEDIR_REQUIRED

8

Home Directory is required

ADS_UF_LOCKOUT

16

Account is locked out

ADS_UF_PASSWD_NOTREQD

32

A password is not required

ADS_UF_PASSWD_CANT_CHANGE

64

Read-only flag that indicates if the user cannot change his password

ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED

128

Store password using reversible encryption

ADS_UF_TEMP_DUPLICATE_ACCOUNT

256

Account provides access to the domain, but not to any other domain that trusts the domain

ADS_UF_NORMAL_ACCOUNT

512

Enabled user account

ADS_UF_INTERDOMAIN_TRUST_ACCOUNT

2048

A permit to trust account for a system domain that trusts other domains

ADS_UF_WORKSTATION_TRUST_ACCOUNT

4096

Enabled computer account

ADS_UF_SERVER_TRUST_ACCOUNT

8192

Computer account for backup domain controller.

ADS_UF_DONT_EXPIRE_PASSWD

65536

Password will not expire

ADS_UF_MNS_LOGON_ACCOUNT

131072

MNS logon account.

ADS_UF_SMARTCARD_REQUIRED

262144

Smart card is required for logon

ADS_UF_TRUSTED_FOR_DELEGATION

524288

Allow Kerberos delegation

ADS_UF_NOT_DELEGATED

1048576

Do not allow Kerberos delegation even if ADS_UF_TRUSTED_FOR_DELETATION is enabled

ADS_UF_USE_DES_KEY_ONLY

2097152

Requires DES encryption for keys

ADS_UF_DONT_REQUIRE_PREAUTH

4194304

Account does not require Kerberos pre-authentication for logon

ADS_UF_PASSWORD_EXPIRED

8388608

Read-only flag indicating account's password has expired. Used only with the WinNT provider

ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION

16777216

Account is enabled for delegation


See Also

Go to MSDN (http://msdn.microsoft.com) and search for "ADS_USER_FLAG_ENUM enumeration"


Previous page
Table of content
Next page
Windows XP Cookbook
Windows XP Cookbook (Cookbooks)
ISBN: 0596007256
EAN: 2147483647
Year: 2006
Pages: 408
Authors: Robbie Allen, Preston Gralla
BUY ON AMAZON
Java How to Program (6th Edition) (How to Program (Deitel))
Data Structures and Algorithms in Java
InDesign Type: Professional Typography with Adobe InDesign CS2
File System Forensic Analysis
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
MPLS Configuration on Cisco IOS Software
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy