Recipe 6.24 Setting a User's Account Options (userAccountControl)
6.24.1 Problem
You want to view or update
the userAccountControl attribute for a user. This
attribute controls various account options, such as if the user must
change their password at next logon and if the account is disabled.
6.24.2 Solution
6.24.2.1 Using a graphical user interface
Open the Active Directory Users and Computers snap-in. In the left pane, right-click on the domain and select Find. Select the appropriate domain beside In. Beside Name, type the name of the user and click Find Now. In the Search Results, double-click on the user. Select the Account tab. Many of the userAccountControl flags can be set
under Account options. Click OK after you're done.
6.24.2.2 Using a command-line interface
The dsmod user command has
several options for setting various
userAccountControl flags, as shown in Table 6-2. Each switch accepts yes or
no as a parameter to either enable or disable the
setting.
Table 6-2. dsmod user options for setting userAccountControl|
-mustchpwd
|
Sets whether the user must change password at next logon.
|
-canchpwd
|
Sets whether the user can change his password.
|
-disabled
|
Set account status to enabled or disabled.
|
-reversiblepwd
|
Sets whether the user's password is stored using
reversible encryption.
|
-pwdneverexpires
|
Sets whether the user's password never expires.
|
6.24.2.3 Using VBScript
' This code enables or disables a bit value in the userAccountControl attr.
' See Recipe 4.12 for the code for the CalcBit function.
' ------ SCRIPT CONFIGURATION ------
strUserDN = "<UserDN>" ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com
intBit = <BitValue> ' e.g. 65536
boolEnable = <TrueOrFalse> ' e.g. TRUE
' ------ END CONFIGURATION ---------
strAttr = "userAccountControl"
set objUser = GetObject("LDAP://" & strUserDN)
intBitsOrig = objUser.Get(strAttr)
intBitsCalc = CalcBit(intBitsOrig, intBit, boolEnable)
if intBitsOrig <> intBitsCalc then
objUser.Put strAttr, intBitsCalc
objUser.SetInfo
WScript.Echo "Changed " & strAttr & " from " & _
intBitsOrig & " to " & intBitsCalc
else
WScript.Echo "Did not need to change " & strAttr & " (" & _
intBitsOrig & ")"
end if
6.24.3 Discussion
The userAccountControl attribute on
user (and computer) objects
could be considered the kitchen sink of miscellaneous and sometimes
completely unrelated user account properties. If you have to work
with creating and managing user objects very much,
you'll need to become intimately familiar with this
attribute.
The userAccountControl attribute is a bit flag,
which means you have to take a couple extra steps to search against
it or modify it. See Recipe 4.9 for more on
searching with a bit-wise filter and Recipe 4.12 for modifying a bit-flag attribute.
The dsmod user command can be
used to modify a subset of userAccountControl
properties, as shown in Table 6-2. Table 6-3 contains the complete list
userAccountControl properties as defined in the
ADS_USER_FLAG_ENUM enumeration.
Table 6-3. ADS_USER_FLAG_ENUM values|
ADS_UF_SCRIPT
|
1
|
Logon script is executed.
|
ADS_UF_ACCOUNTDISABLE
|
2
|
Account is disabled.
|
ADS_UF_HOMEDIR_REQUIRED
|
8
|
Home Directory is required.
|
ADS_UF_LOCKOUT
|
16
|
Account is locked out.
|
ADS_UF_PASSWD_NOTREQD
|
32
|
A password is not required.
|
ADS_UF_PASSWD_CANT_CHANGE
|
64
|
Read-only flag that indicates if the user cannot change their
password.
|
ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
|
128
|
Store password using reversible encryption.
|
ADS_UF_TEMP_DUPLICATE_ACCOUNT
|
256
|
Account provides access to the domain, but no other domain that
trusts the domain.
|
ADS_UF_NORMAL_ACCOUNT
|
512
|
Enabled user account.
|
ADS_UF_INTERDOMAIN_TRUST_ACCOUNT
|
2048
|
A permit to trust account for a system domain that trusts other
domains.
|
ADS_UF_WORKSTATION_TRUST_ACCOUNT
|
4096
|
Enabled computer account.
|
ADS_UF_SERVER_TRUST_ACCOUNT
|
8192
|
Computer account for backup domain controller.
|
ADS_UF_DONT_EXPIRE_PASSWD
|
65536
|
Password will not expire.
|
ADS_UF_MNS_LOGON_ACCOUNT
|
131072
|
MNS logon account.
|
ADS_UF_SMARTCARD_REQUIRED
|
262144
|
Smart card is required for logon.
|
ADS_UF_TRUSTED_FOR_DELEGATION
|
524288
|
Allow Kerberos delegation.
|
ADS_UF_NOT_DELEGATED
|
1048576
|
Do not allow Kerberos delegation even if
ADS_UF_TRUSTED_FOR_DELETATION is enabled.
|
ADS_UF_USE_DES_KEY_ONLY
|
2097152
|
Requires DES encryption for keys.
|
ADS_UF_DONT_REQUIRE_PREAUTH
|
4194304
|
Account does not require Kerberos preauthentication for logon.
|
ADS_UF_PASSWORD_EXPIRED
|
8388608
|
Read-only flag indicating account's password has
expired. Only used with the WinNT provider.
|
ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
|
16777216
|
Account is enabled for delegation.
|
6.24.4 See Also
Recipe 4.12 for setting a bit-flag attribute and
MSDN: ADS_USER_FLAG_ENUM
|