Recipe 6.24 Setting a User s Account Options (userAccountControl)

Previous page
Table of content
Next page

Recipe 6.24 Setting a User's Account Options (userAccountControl)

6.24.1 Problem

You want to view or update the userAccountControl attribute for a user. This attribute controls various account options, such as if the user must change their password at next logon and if the account is disabled.

6.24.2 Solution

6.24.2.1 Using a graphical user interface

  1. Open the Active Directory Users and Computers snap-in.

  2. In the left pane, right-click on the domain and select Find.

  3. Select the appropriate domain beside In.

  4. Beside Name, type the name of the user and click Find Now.

  5. In the Search Results, double-click on the user.

  6. Select the Account tab.

  7. Many of the userAccountControl flags can be set under Account options.

  8. Click OK after you're done.
6.24.2.2 Using a command-line interface

The dsmod user command has several options for setting various userAccountControl flags, as shown in Table 6-2. Each switch accepts yes or no as a parameter to either enable or disable the setting.

Table 6-2. dsmod user options for setting userAccountControl

dsmod user switch

Description

-mustchpwd

Sets whether the user must change password at next logon.

-canchpwd

Sets whether the user can change his password.

-disabled

Set account status to enabled or disabled.

-reversiblepwd

Sets whether the user's password is stored using reversible encryption.

-pwdneverexpires

Sets whether the user's password never expires.

6.24.2.3 Using VBScript
' This code enables or disables a bit value in the userAccountControl attr. ' See Recipe 4.12 for the code for the CalcBit function. ' ------ SCRIPT CONFIGURATION ------ strUserDN = "<UserDN>"     ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com intBit = <BitValue>        ' e.g. 65536 boolEnable = <TrueOrFalse> ' e.g. TRUE ' ------ END CONFIGURATION --------- strAttr = "userAccountControl" set objUser = GetObject("LDAP://" & strUserDN) intBitsOrig = objUser.Get(strAttr) intBitsCalc = CalcBit(intBitsOrig, intBit, boolEnable) if intBitsOrig <> intBitsCalc then    objUser.Put strAttr, intBitsCalc    objUser.SetInfo    WScript.Echo "Changed " & strAttr & " from " & _                 intBitsOrig & " to " & intBitsCalc else    WScript.Echo "Did not need to change " & strAttr & " (" & _                  intBitsOrig & ")" end if

6.24.3 Discussion

The userAccountControl attribute on user (and computer) objects could be considered the kitchen sink of miscellaneous and sometimes completely unrelated user account properties. If you have to work with creating and managing user objects very much, you'll need to become intimately familiar with this attribute.

The userAccountControl attribute is a bit flag, which means you have to take a couple extra steps to search against it or modify it. See Recipe 4.9 for more on searching with a bit-wise filter and Recipe 4.12 for modifying a bit-flag attribute.

The dsmod user command can be used to modify a subset of userAccountControl properties, as shown in Table 6-2. Table 6-3 contains the complete list userAccountControl properties as defined in the ADS_USER_FLAG_ENUM enumeration.

Table 6-3. ADS_USER_FLAG_ENUM values

Name

Value

Description

ADS_UF_SCRIPT

1

Logon script is executed.

ADS_UF_ACCOUNTDISABLE

2

Account is disabled.

ADS_UF_HOMEDIR_REQUIRED

8

Home Directory is required.

ADS_UF_LOCKOUT

16

Account is locked out.

ADS_UF_PASSWD_NOTREQD

32

A password is not required.

ADS_UF_PASSWD_CANT_CHANGE

64

Read-only flag that indicates if the user cannot change their password.

ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED

128

Store password using reversible encryption.

ADS_UF_TEMP_DUPLICATE_ACCOUNT

256

Account provides access to the domain, but no other domain that trusts the domain.

ADS_UF_NORMAL_ACCOUNT

512

Enabled user account.

ADS_UF_INTERDOMAIN_TRUST_ACCOUNT

2048

A permit to trust account for a system domain that trusts other domains.

ADS_UF_WORKSTATION_TRUST_ACCOUNT

4096

Enabled computer account.

ADS_UF_SERVER_TRUST_ACCOUNT

8192

Computer account for backup domain controller.

ADS_UF_DONT_EXPIRE_PASSWD

65536

Password will not expire.

ADS_UF_MNS_LOGON_ACCOUNT

131072

MNS logon account.

ADS_UF_SMARTCARD_REQUIRED

262144

Smart card is required for logon.

ADS_UF_TRUSTED_FOR_DELEGATION

524288

Allow Kerberos delegation.

ADS_UF_NOT_DELEGATED

1048576

Do not allow Kerberos delegation even if ADS_UF_TRUSTED_FOR_DELETATION is enabled.

ADS_UF_USE_DES_KEY_ONLY

2097152

Requires DES encryption for keys.

ADS_UF_DONT_REQUIRE_PREAUTH

4194304

Account does not require Kerberos preauthentication for logon.

ADS_UF_PASSWORD_EXPIRED

8388608

Read-only flag indicating account's password has expired. Only used with the WinNT provider.

ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION

16777216

Account is enabled for delegation.

6.24.4 See Also

Recipe 4.12 for setting a bit-flag attribute and MSDN: ADS_USER_FLAG_ENUM


Previous page
Table of content
Next page
Active Directory Cookbook
Active Directory Cookbook, 3rd Edition
ISBN: 0596521103
EAN: 2147483647
Year: 2006
Pages: 456
Authors: Laura E. Hunter, Robbie Allen
BUY ON AMAZON
Project Management JumpStart
Adobe After Effects 7.0 Studio Techniques
Cisco IOS Cookbook (Cookbooks (OReilly))
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
File System Forensic Analysis
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy