Recipe 16.9. Setting a User's Account Options Problem You want to view or update the userAccountControl attribute for a user. This attribute controls various account options; for example, the user must change his password at next logon and whether the account is disabled. Solution Using a graphical user interface Open the ADUC snap-in. In the left pane, right-click on the domain and select Find. Select the appropriate domain beside In. Beside Name, type the name of the user and click Find Now. In the Search Results, double-click on the user. Select the Account tab. Many of the userAccountControl flags can be set under Account options. Click OK after you're done. Using a command-line interface The dsmod user command has several options for setting various userAccountControl flags, which are listed in the Discussion section. Each switch accepts yes or no as a parameter to either enable or disable the setting. Using VBScript ' This code enables or disables a bit value in the userAccountControl attr. ' ------ SCRIPT CONFIGURATION ------ strUserDN = "<UserDN>" ' e.g., cn=rallen,ou=Sales,dc=rallencorp,dc=com intBit = <BitValue> ' e.g., 65536 boolEnable = <TrueOrFalse> ' e.g., trUE ' ------ END CONFIGURATION --------- strAttr = "userAccountControl" set objUser = GetObject("LDAP://" & strUserDN) intBitsOrig = objUser.Get(strAttr) intBitsCalc = CalcBit(intBitsOrig, intBit, boolEnable) if intBitsOrig <> intBitsCalc then objUser.Put strAttr, intBitsCalc objUser.SetInfo WScript.Echo "Changed " & strAttr & " from " & _ intBitsOrig & " to " & intBitsCalc else WScript.Echo "Did not need to change " & strAttr & " (" & _ intBitsOrig & ")" end if Function CalcBit(intValue, intBit, boolEnable) CalcBit = intValue if boolEnable = TRUE then CalcBit = intValue Or intBit else if intValue And intBit then CalcBit = intValue Xor intBit end if end if End Function Discussion The userAccountControl attribute on user (and computer) objects could be considered the kitchen sink of miscellaneous and sometimes completely unrelated user account properties. If you have to do much creating and managing user objects, you'll need to become intimately familiar with this attribute. The userAccountControl attribute is a bit flag, which means you have to take a couple extra steps to search against or modify it. For more on searching and modifying a bit flag attribute, see Recipes 4.10 and 4.13 in Active Directory Cookbook (O'Reilly). The dsmod user command can be used to modify a subset of userAccountControl properties, as shown in Table 16-1. Table 16-2 lists userAccountControl properties as defined in the ADS_USER_FLAG_ENUM enumeration. Table 16-1. dsmod user options for setting userAccountControl dsmod user switch | Description |
---|
-mustchpwd | Sets whether the user must change password at next logon | -canchpwd | Sets whether the user can change his password | -disabled | Set account status to enabled or disabled | -reversiblepwd | Sets whether the user's password is stored using reversible encryption | -pwdneverexpires | Sets whether the user's password never expires |
Table 16-2. ADS_USER_FLAG_ENUM values Name | Value | Description |
---|
ADS_UF_SCRIPT | 1 | Logon script is executed | ADS_UF_ACCOUNTDISABLE | 2 | Account is disabled | ADS_UF_HOMEDIR_REQUIRED | 8 | Home Directory is required | ADS_UF_LOCKOUT | 16 | Account is locked out | ADS_UF_PASSWD_NOTREQD | 32 | A password is not required | ADS_UF_PASSWD_CANT_CHANGE | 64 | Read-only flag that indicates if the user cannot change his password | ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED | 128 | Store password using reversible encryption | ADS_UF_TEMP_DUPLICATE_ACCOUNT | 256 | Account provides access to the domain, but not to any other domain that trusts the domain | ADS_UF_NORMAL_ACCOUNT | 512 | Enabled user account | ADS_UF_INTERDOMAIN_TRUST_ACCOUNT | 2048 | A permit to trust account for a system domain that trusts other domains | ADS_UF_WORKSTATION_TRUST_ACCOUNT | 4096 | Enabled computer account | ADS_UF_SERVER_TRUST_ACCOUNT | 8192 | Computer account for backup domain controller | ADS_UF_DONT_EXPIRE_PASSWD | 65536 | Password will not expire | ADS_UF_MNS_LOGON_ACCOUNT | 131072 | MNS logon account | ADS_UF_SMARTCARD_REQUIRED | 262144 | Smart card is required for logon | ADS_UF_TRUSTED_FOR_DELEGATION | 524288 | Allow Kerberos delegation | ADS_UF_NOT_DELEGATED | 1048576 | Do not allow Kerberos delegation even if ADS_UF_TRUSTED_FOR_DELETATION is enabled | ADS_UF_USE_DES_KEY_ONLY | 2097152 | Requires DES encryption for keys | ADS_UF_DONT_REQUIRE_PREAUTH | 4194304 | Account does not require Kerberos preauthentication for logon | ADS_UF_PASSWORD_EXPIRED | 8388608 | Read-only flag indicating account's password has expired. Used only with the WinNT provider. | ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION | 16777216 | Account is enabled for delegation |
See Also MSDN: ADS_USER_FLAG_ENUM |