Using UserAccountControl Flags to Manipulate Properties - ShellGeek (2024)

Table of Contents
UserAccountControl Flags or Attribute Values UserAccountControl Flags Descriptions UserAccountControl 514 – Disable User Account UserAccountControl 66048 – Enabled and Don’t Expire User Password UserAccountControl 66050 – Disabled and Don’t Expire Password UserAccountControl 544 – Enabled and Password not required UserAccountControl 546 – Disabled and Password not required UserAccountControl 66082 – Disabled,Password not required and Password Doesn’t Expire UserAccountControl 590336 – Enabled, User Cannot Change Password, Password Never Expires UserAccountControl 4128 – WorkStation Trust Account, Password not required UserAccountControl 2080 – InterDomain Trust Account, Password not required Conclusion – UserAccountControl Flags FAQs

Active Directory UserAccountControl attribute contains flags to view or change the active directory user account values.

Active Directory UserAccountControl values represent which options have been enabled for a user account.

Ldp.exe tool or Adsiedit. msc snap-in tool shows the UserAccountControl values in Active Directory.

Ldp.exe tool shows the values in hexadecimal. Adsiedit.msc snap-in tool shows the values in decimal.

In this article, we will discuss a list of UserAccountControl flags available. You can assign or change the possible UserAccountControl flags value.

Some of the flag values on the user or computer object can’t change as they can be set or reset from the directory service.

Table of Contents hide

1UserAccountControl Flags or Attribute Values

2UserAccountControl Flags Descriptions

3UserAccountControl 514 – Disable User Account

4UserAccountControl 66048 – Enabled and Don’t Expire User Password

5UserAccountControl 66050 – Disabled and Don’t Expire Password

7UserAccountControl 546 – Disabled and Password not required

8UserAccountControl 66082 – Disabled,Password not required and Password Doesn’t Expire

9UserAccountControl 590336 – Enabled, User Cannot Change Password, Password Never Expires

10UserAccountControl 4128 – WorkStation Trust Account, Password not required

11UserAccountControl 2080 – InterDomain Trust Account, Password not required

12Conclusion – UserAccountControl Flags

UserAccountControl Flags or Attribute Values

All UserAccountrol flag values are shown in the table.

Property flagValue in hexadecimalValue in decimal
SCRIPT0x00011
ACCOUNTDISABLE0x00022
HOMEDIR_REQUIRED0x00088
LOCKOUT0x001016
PASSWD_NOTREQD0x002032
PASSWD_CANT_CHANGE0x004064
ENCRYPTED_TEXT_PWD_ALLOWED0x0080128
TEMP_DUPLICATE_ACCOUNT0x0100256
NORMAL_ACCOUNT0x0200512
INTERDOMAIN_TRUST_ACCOUNT0x08002048
WORKSTATION_TRUST_ACCOUNT0x10004096
SERVER_TRUST_ACCOUNT0x20008192
DONT_EXPIRE_PASSWORD0x1000065536
MNS_LOGON_ACCOUNT0x20000131072
SMARTCARD_REQUIRED0x40000262144
TRUSTED_FOR_DELEGATION0x80000524288
NOT_DELEGATED0x1000001048576
USE_DES_KEY_ONLY0x2000002097152
DONT_REQ_PREAUTH0x4000004194304
PASSWORD_EXPIRED0x8000008388608
TRUSTED_TO_AUTH_FOR_DELEGATION0x100000016777216
PARTIAL_SECRETS_ACCOUNT0x0400000067108864

UserAccountControl Flags Descriptions

Here is a Comprehensive list of UserAccountControl flags with their descriptions. Refer to the Official Microsoft Knowledgebase article for UserAccountControl.

  • SCRIPT – The logon script will be run.
  • ACCOUNTDISABLE – The user account is disabled.
  • HOMEDIR_REQUIRED – The home folder is required.
  • PASSWD_NOTREQD – No password is required.
  • PASSWD_CANT_CHANGE – The user can’t change the password. It’s a permission on the user’s object. For information about how to programmatically set this permission, seeModifying User Cannot Change Password (LDAP Provider).
  • ENCRYPTED_TEXT_PASSWORD_ALLOWED – The user can send an encrypted password.
  • TEMP_DUPLICATE_ACCOUNT – It’s an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. It’s sometimes referred to as a local user account.
  • NORMAL_ACCOUNT – It’s a default account type that represents a typical user.
  • INTERDOMAIN_TRUST_ACCOUNT – It’s a permit to trust an account for a system domain that trusts other domains.
  • WORKSTATION_TRUST_ACCOUNT – It’s a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.
  • SERVER_TRUST_ACCOUNT – It’s a computer account for a domain controller that is a member of this domain.
  • DONT_EXPIRE_PASSWD – Represents the password, which should never expire on the account.
  • MNS_LOGON_ACCOUNT – It’s an MNS logon account.
  • SMARTCARD_REQUIRED – When this flag is set, it forces the user to log on by using a smart card.
  • TRUSTED_FOR_DELEGATION – When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
  • NOT_DELEGATED – When this flag is set, the security context of the user isn’t delegated to a service even if the service account is set as trusted for Kerberos delegation.
  • USE_DES_KEY_ONLY – (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
  • DONT_REQUIRE_PREAUTH – (Windows 2000/Windows Server 2003) This account doesn’t require Kerberos pre-authentication for logging on.
  • PASSWORD_EXPIRED – (Windows 2000/Windows Server 2003) The user’s password has expired.
  • TRUSTED_TO_AUTH_FOR_DELEGATION – (Windows 2000/Windows Server 2003) The account is enabled for delegation. It’s a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client’s identity and authenticate as that user to other remote servers on the network.
  • PARTIAL_SECRETS_ACCOUNT – (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). It’s a security-sensitive setting. Removing this setting from an RODC compromises security on that server.

Let’s try to understand with an example to set UserAccountControl values for a user account.

Let’s practice!

Cool Tip: How to get active directory users in PowerShell!

UserAccountControl 514 – Disable User Account

To disable a user account, we require a user’s normal account flag value and the Disabled account flag value.

Refer to the above UserAccountControl table,

NORMAL_ACCOUNT property flag has hexadecimal value = 0x0200 and decimal = 512

ACCOUNTDISABLE property flag has hexadecimal value = 0x0002 and decimal = 2

See Also
UserAccountControl Attribute Values

Property flagValue in hexadecimalValue in decimal
NORMAL_ACCOUNT 0x0200512
ACCOUNTDISABLE 0x00022
Disabled, Don’t Expire Password 0x0202 514

UserAccountControl flags are cumulative. Sum up the hexadecimal value ( 0x0200 + 0x0002 = 0x0202) and decimal value ( 512+2 = 514)

ldp.exe tool shows the value in hexadecimal hence set UserAccountControl 0x0202 value to disable user account.

adsiedit.msc snap-in tool shows the value in decimal, hence setting UserAccountControl 514 value to disable a user account.

UserAccountControl 514 – Disabled User Account.

Cool Tip: How to get aduser samaccountname in PowerShell!

UserAccountControl 66048 – Enabled and Don’t Expire User Password

To set user password never expires on the enabled user account, we require user normal account flag and password don’t expired flag.

Refer to the above UserAccountControl flag table.

NORMAL_ACCOUNT property flag has hexadecimal value = 0x0200 and decimal = 512

DONT_EXPIRE_PASSWORD property flag has hexadecimal value = 0x10000 and decimal value = 65536

Property flagValue in hexadecimalValue in decimal
NORMAL_ACCOUNT 0x0200512
DONT_EXPIRE_PASSWORD0x1000065536
Enabled, Don’t Expire Password 0x10200 66048

Let’s sum up flag values to get cumulative value.

Hexadecimal value = 0x200 + 0x10000 = 0x10200

Decimal value = 512 + 65536 = 66048

Assign Active Directory UserAccountControl attribute to 66048 to set user password never expired.

UserAccountControl 66048 – Enabled User Account with Password never expires.

Cool Tip: How to remove a user from the group in PowerShell!

UserAccountControl 66050 – Disabled and Don’t Expire Password

To set user password never expires on the disabled user account, we require user normal account flag, account disable flag and password don’t expired flag.

Property flagValue in hexadecimalValue in decimal
NORMAL_ACCOUNT 0x0200512
ACCOUNTDISABLE0x00022
DONT_EXPIRE_PASSWORD0x1000065536
Disabled, Don’t Expire Password0x022266050

In the above table, we have summed up all the property flags to get cumulative value for a disabled user account whose password never expires.

Modify the value of the UserAccountControl attribute to 66050 in adsiedit.msc tool.

UserAccountControl 66050 – Disabled User Account with Password never expires.

Cool Tip: Event Id 4634 – An Account was logged off!

UserAccountControl 544 – Enabled and Password not required

To set up an enabled user account with a password not required flag, we require a NORMAL_ACCOUNT flag and the PASSWD_NOTREQD flag.

Property flagValue in hexadecimalValue in decimal
NORMAL_ACCOUNT 0x0200512
PASSWD_NOTREQD 0x002032
Enabled, Password not required0x0220544

In the above table, we have summed up all the property flags to get cumulative value for an enabled user account for password not required.

Modify the value of the UserAccountControl attribute to 544 in adsiedit.msc tool.

UserAccountControl 544 – Enabled User Account with don’t expired password.

Cool Tip: How to fix error code 0xc0000234or event id 4776 in PowerShell!

UserAccountControl 546 – Disabled and Password not required

To set up a disabled user account with a password not required, we need the NORMAL_ACCOUNT flag, PASSWD_NOTREQD flag, and ACCOUNTDISABLE flag.

Property flagValue in hexadecimalValue in decimal
NORMAL_ACCOUNT 0x0200512
ACCOUNTDISABLE0x00022
PASSWD_NOTREQD0x0020 32
Disabled, Don’t Expire Password0x0222546

In the above table, we have summed up all the property flags to get cumulative value for a disabled user account for password not required.

Modify the value of the UserAccountControl attribute to 546 in adsiedit.msc tool.

UserAccountControl 546 – Disabled User Account with password not required.

UserAccountControl 66082 – Disabled,Password not required and Password Doesn’t Expire

To set up a disabled user account with a password not required, we need the NORMAL_ACCOUNT flag, PASSWD_NOTREQD flag, ACCOUNTDISABLE flag, and DONT_EXPIRE_PASSWORD flag.

Property flagValue in hexadecimalValue in decimal
NORMAL_ACCOUNT 0x0200512
ACCOUNTDISABLE0x00022
DONT_EXPIRE_PASSWORD0x1000065536
PASSWD_NOTREQD0x0020 32
Disabled, Don’t Expire Password0x1022266082

In the above table, we have summed up all the property flags to get cumulative value for a disabled user account for password not required.

Modify the value of the UserAccountControl attribute to 66082 in adsiedit.msc tool.

UserAccountControl 66082 – Disabled User Account, password not required and password doesn’t expire.

UserAccountControl 590336 – Enabled, User Cannot Change Password, Password Never Expires

Assign 590336 value to UserAccountControl attribute to enable a user account, user cannot change password and password never expires.

UserAccountControl 4128 – WorkStation Trust Account, Password not required

To set up a workstation trust account with a password not required, we need the WORKSTATION_TRUST_ACCOUNT flag and PASSWD_NOTREQD flag.

Property flagValue in hexadecimalValue in decimal
WORKSTATION_TRUST_ACCOUNT 0x10004096
PASSWD_NOTREQD0x0020 32
Workstation trust account with a password not required 0x10204128

In the above table, we have summed up all the property flags to get cumulative value for a disabled user account for password not required.

Modify the value of the UserAccountControl attribute to 4128 in adsiedit.msc tool.

UserAccountControl 4128 – Workstation Trust Account with Password not required.

UserAccountControl 2080 – InterDomain Trust Account, Password not required

To set up a workstation trust account with a password not required, we need the WORKSTATION_TRUST_ACCOUNT flag and PASSWD_NOTREQD flag.

Property flagValue in hexadecimalValue in decimal
INTERDOMAIN_TRUST_ACCOUNT 0x08002048
PASSWD_NOTREQD0x0020 32
InterDomain trust account with a password not required 0x08202080

In the above table, we have summed up all the property flags to get cumulative value for a disabled user account for password not required.

Modify the value of the UserAccountControl attribute to 2080 in adsiedit.msc tool.

UserAccountControl 2080 – InterDomain Trust Account with Password not required.

Conclusion – UserAccountControl Flags

I hope the above article on Active Directory UserAccountControl values is helpful to you.

UserAccountControl property flags are cumulative.

You can sum of UserAccountControl flags hexadecimal or decimal values to assign it to the UserAccountControl attribute value in ldp.exe and Adsiedit.exe snap-in tool respectively.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.

Using UserAccountControl Flags to Manipulate Properties - ShellGeek (2024)

FAQs

What does UserAccountControl 512 mean? ›

User Account Control

For example, setting a users userAccountControl to 512 would mean that the user account is a default account type that represents a typical user. Setting it to 2 , would mean the account has been disabled.

Read More
What does UserAccountControl 514 mean? ›

514 is a normal disabled account with no special flags. 66048 is a normal account with the flag set for Password never expires. 66050 is a normal disabled account with the flag set for Password never expires.

Get More Info Here
What is UserAccountControl 544? ›

Resolution. Since account creation is a multi-step process without rollback, this left account with a blank password, and the UserAccountControl attribute is set to 544 (mix state of normal account 512 + password not required 32).

Keep Reading
What is UserAccountControl in Active Directory? ›

The UserAccountControl Active Directory attribute determines user status. Users are set to Disabled status in the Duo Admin Panel if the UserAccountControl attribute is 2 (0x0002 in hex) or 514 (0x202 in hex) when Active Directory Sync runs.

View More
What does Error 512 mean? ›

SMTP error 512 occurs when the recipient's email domain is not resolvable via a valid DNS record.

Get More Info
What is the bad password count attribute in Active Directory? ›

Active Directory Schema Attribute : bad-pwd-count

Purpose: This attribute denotes the number of times the logon attempts failed due to incorrect password.

Know More
How to change UserAccountControl attribute? ›

Change UserAccountControl with PowerShell

You can use the set-aduser cmdlet to change the UserAccountControl attribute. In this example I change the value from 514 to 512. There is also the set-ADAccountControl cmdlet that lets you modify the UserAccountControl values.

Learn More
What is the UserAccountControl bitmask for normal_account and encrypted_text_pwd_allowed decimal value? ›

List of property flags
Property flagValue in hexadecimalValue in decimal
ENCRYPTED_TEXT_PWD_ALLOWED0x0080128
TEMP_DUPLICATE_ACCOUNT0x0100256
NORMAL_ACCOUNT0x0200512
INTERDOMAIN_TRUST_ACCOUNT0x08002048
18 more rows
Feb 19, 2024

See More
What is the eventid 4776 the computer attempted to validate the credentials for an account? ›

This event generates every time that a credential validation occurs using NTLM authentication. This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative.

Discover More Details
How do I view user attributes in Active Directory? ›

Select 'View' from the menu and enable 'Advanced Features'. This setting remains active for subsequent sessions. With advanced features enabled, access the user account and click on the Attribute Editor tab. This displays all user attributes, including any that are blank.

Discover More

What is the uac value 0x211? ›

New UAC Value: 0x211. User Account Control: 'Password Not Required' - Disabled. 'Don't Expire Password' - Enabled.

Read The Full Story
How do you unlock account attributes in Active Directory? ›

Using a graphical user interface
  1. Open the Active Directory Users and Computers snap-in.
  2. In the left pane, right-click on the domain and select Find.
  3. Select the appropriate domain beside In.
  4. Type the name of the user beside Name and click Find Now.
  5. In the Search Results, right-click on the user and select Unlock.

Continue Reading
What is Windows account type 512? ›

512 = (UF_NORMAL_ACCOUNT) Default account type that represents a typical user. 2048 = (UF_INTERDOMAIN_TRUST_ACCOUNT) Account for a system domain that trusts other domains. 4096 = (UF_WORKSTATION_TRUST_ACCOUNT) Computer account for a computer system running Windows that is a member of this domain.

Learn More Now
What is the Active Directory user account Security tab? ›

The security tab allows you to grant or deny permissions to other groups and users over the user object. In the “group or user names” section you can choose the group or the user to whom you would like to deny or allow permission.

Get More Info Here
Top Articles
Herzschmerz, Zufälle und ein Nein für Elvis: Whitney Houstons „I Will Always Love You“ wird 30!
KCTCS hiring Accounts Receivable Specialist in Lexington, Kentucky, United States | LinkedIn
Vegas X Vip.org
Brown's Funeral Home Obituaries Lawrenceville Va
Flanagan-Watts Funeral Home Obituaries
Bon plan – Le smartphone Motorola Edge 50 Fusion "4 étoiles" à 339,99 €
Best Jewelry Laser Engraving Machine to Elevate Your Design
People Helping Others Property
Lsn Nashville Tn
Hailie Deegan News, Rumors, & NASCAR Updates
Generation Zero beginner’s guide: six indispensable tips to help you survive the robot revolution
Parents & Students · Infinite Campus
1888 Metro 8
Rules - LOTTOBONUS - Florida Lottery Bonus Play Drawings & Promotions
The latest on the Idaho student murders: Live Updates | CNN
Cloud Cannabis Utica Promo Code
Lehigh Valley Ironpigs Score
Kentucky Lottery Scratch Offs Remaining
SEBO (UK) Ltd on LinkedIn: #sebouk #commercialcleaning #cleaning #floorcleaning #carpetcleaning
Central Nj Craiglist
Quantumonline
Is Jackson On Jeopardy Transgender
27 Sage Street Holmdel Nj
Hose Woe Crossword Clue
Clash of Clans: Best Hero Equipment For The Archer Queen, Ranked
Roundpoint Mortgage Mortgagee Clause
New Homes in Waterleigh | Winter Garden, FL | D.R. Horton
Age Gabriela Moura's Evolution from Childhood Dreams to TikTok Fame - Essential Tribune
Rubios Listens Com
2022 Jeep Grand Cherokee Lug Nut Torque
Roomba I3 Sealing Problem With Clean Base
Antique Wedding Favors
Rooftop Snipers Unblocked Games Premium
Crazy 8S Cool Math
Chalupp's Pizza Taos Menu
Associate Resources Aces-How To Create An Account And How Its Features Work
Bronx Apartments For Rent Craigslist
Tattered Paws And Golden Hearts Rescue
6173770487
Sam's Club Hiring Near Me
Katie Hamden Of
Zmeenaorrxclusive
Ticketmaster La Dodgers
Craigs List Williamsport
German American Bank Owenton Ky
Roblox Mod Menu Platinmods
Siôn Parry: The Welshman in the red of Canada
Morse Road Bmv Hours
Barber Gym Quantico Hours
Luxiconic Nails
Dragon Ball Super Super Hero 123Movies
Latest Posts
UserAccountControl Attribute/Flag Values - WindowsTechno
I Will Always Love You: How a 90s ballad captivated the world
Article information

Author: Barbera Armstrong

Last Updated:

Views: 6260

Rating: 4.9 / 5 (59 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Barbera Armstrong

Birthday: 1992-09-12

Address: Suite 993 99852 Daugherty Causeway, Ritchiehaven, VT 49630

Phone: +5026838435397

Job: National Engineer

Hobby: Listening to music, Board games, Photography, Ice skating, LARPing, Kite flying, Rugby

Introduction: My name is Barbera Armstrong, I am a lovely, delightful, cooperative, funny, enchanting, vivacious, tender person who loves writing and wants to share my knowledge and understanding with you.