Recipe16.9.Setting a User s Account Options

Previous page
Table of content
Next page

Recipe 16.9. Setting a User's Account Options

Problem

You want to view or update the userAccountControl attribute for a user. This attribute controls various account options; for example, the user must change his password at next logon and whether the account is disabled.

Solution

Using a graphical user interface

  1. Open the ADUC snap-in.

  2. In the left pane, right-click on the domain and select Find.

  3. Select the appropriate domain beside In.

  4. Beside Name, type the name of the user and click Find Now.

  5. In the Search Results, double-click on the user.

  6. Select the Account tab.

  7. Many of the userAccountControl flags can be set under Account options.

  8. Click OK after you're done.

Using a command-line interface

The dsmod user command has several options for setting various userAccountControl flags, which are listed in the Discussion section. Each switch accepts yes or no as a parameter to either enable or disable the setting.

Using VBScript
' This code enables or disables a bit value in the userAccountControl attr. ' ------ SCRIPT CONFIGURATION ------ strUserDN = "<UserDN>"     ' e.g., cn=rallen,ou=Sales,dc=rallencorp,dc=com intBit = <BitValue>        ' e.g., 65536 boolEnable = <TrueOrFalse> ' e.g., trUE ' ------ END CONFIGURATION --------- strAttr = "userAccountControl" set objUser = GetObject("LDAP://" & strUserDN) intBitsOrig = objUser.Get(strAttr) intBitsCalc = CalcBit(intBitsOrig, intBit, boolEnable) if intBitsOrig <> intBitsCalc then    objUser.Put strAttr, intBitsCalc    objUser.SetInfo    WScript.Echo "Changed " & strAttr & " from " & _                 intBitsOrig & " to " & intBitsCalc else    WScript.Echo "Did not need to change " & strAttr & " (" & _                  intBitsOrig & ")" end if     Function CalcBit(intValue, intBit, boolEnable)    CalcBit = intValue    if boolEnable = TRUE then       CalcBit = intValue Or intBit    else       if intValue And intBit then          CalcBit = intValue Xor intBit       end if    end if End Function

Discussion

The userAccountControl attribute on user (and computer) objects could be considered the kitchen sink of miscellaneous and sometimes completely unrelated user account properties. If you have to do much creating and managing user objects, you'll need to become intimately familiar with this attribute.

The userAccountControl attribute is a bit flag, which means you have to take a couple extra steps to search against or modify it. For more on searching and modifying a bit flag attribute, see Recipes 4.10 and 4.13 in Active Directory Cookbook (O'Reilly).

The dsmod user command can be used to modify a subset of userAccountControl properties, as shown in Table 16-1. Table 16-2 lists userAccountControl properties as defined in the ADS_USER_FLAG_ENUM enumeration.

Table 16-1. dsmod user options for setting userAccountControl

dsmod user switch

Description

-mustchpwd

Sets whether the user must change password at next logon

-canchpwd

Sets whether the user can change his password

-disabled

Set account status to enabled or disabled

-reversiblepwd

Sets whether the user's password is stored using reversible encryption

-pwdneverexpires

Sets whether the user's password never expires


Table 16-2. ADS_USER_FLAG_ENUM values

Name

Value

Description

ADS_UF_SCRIPT

1

Logon script is executed

ADS_UF_ACCOUNTDISABLE

2

Account is disabled

ADS_UF_HOMEDIR_REQUIRED

8

Home Directory is required

ADS_UF_LOCKOUT

16

Account is locked out

ADS_UF_PASSWD_NOTREQD

32

A password is not required

ADS_UF_PASSWD_CANT_CHANGE

64

Read-only flag that indicates if the user cannot change his password

ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED

128

Store password using reversible encryption

ADS_UF_TEMP_DUPLICATE_ACCOUNT

256

Account provides access to the domain, but not to any other domain that trusts the domain

ADS_UF_NORMAL_ACCOUNT

512

Enabled user account

ADS_UF_INTERDOMAIN_TRUST_ACCOUNT

2048

A permit to trust account for a system domain that trusts other domains

ADS_UF_WORKSTATION_TRUST_ACCOUNT

4096

Enabled computer account

ADS_UF_SERVER_TRUST_ACCOUNT

8192

Computer account for backup domain controller

ADS_UF_DONT_EXPIRE_PASSWD

65536

Password will not expire

ADS_UF_MNS_LOGON_ACCOUNT

131072

MNS logon account

ADS_UF_SMARTCARD_REQUIRED

262144

Smart card is required for logon

ADS_UF_TRUSTED_FOR_DELEGATION

524288

Allow Kerberos delegation

ADS_UF_NOT_DELEGATED

1048576

Do not allow Kerberos delegation even if ADS_UF_TRUSTED_FOR_DELETATION is enabled

ADS_UF_USE_DES_KEY_ONLY

2097152

Requires DES encryption for keys

ADS_UF_DONT_REQUIRE_PREAUTH

4194304

Account does not require Kerberos preauthentication for logon

ADS_UF_PASSWORD_EXPIRED

8388608

Read-only flag indicating account's password has expired. Used only with the WinNT provider.

ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION

16777216

Account is enabled for delegation


See Also

MSDN: ADS_USER_FLAG_ENUM


Previous page
Table of content
Next page
Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen
BUY ON AMAZON
Java I/O
WebLogic: The Definitive Guide
Introduction to 80x86 Assembly Language and Computer Architecture
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
Java All-In-One Desk Reference For Dummies
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy