When you open the properties for a user account, click the Account
tab, and then either select or clear the check boxes in the
dialog box, numerical values are assigned to
attribute. The value that is assigned to the attribute tells
Windows which options have been enabled.
To view user accounts, click
, point to Programs
, point to Administrative Tools
, and then click Active Directory Users and
You can view and edit these attributes by using either the
Ldp.exe tool or the Adsiedit.msc snap-in.
The following table lists
possible flags that you can assign. You cannot set some of the values on a user
or computer object because these values can be set or reset only by the
directory service. Note that Ldp.exe shows the values in hexadecimal.
Adsiedit.msc displays the values in decimal. The flags are cumulative. To
disable a user's account, set the UserAccountControl
attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2
You can directly edit Active Directory in both Ldp.exe and
Adsiedit.msc. Only experienced administrators should use these tools to edit
Active Directory. Both tools are available after you install the Support tools
from your original Windows installation media.
Collapse this tableExpand this table
|Property flag||Value in hexadecimal||Value in
Note You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the "Property flag descriptions" section.
In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed. For more information about this new attribute, visit the following Web site:
Property flag descriptions
- SCRIPT - The logon script will be run.
- ACCOUNTDISABLE - The user account is disabled.
- HOMEDIR_REQUIRED - The home folder is required.
- PASSWD_NOTREQD - No password is required.
- PASSWD_CANT_CHANGE - The user cannot change the password. This
is a permission on the user's object. For information about how to programmatically set this
permission, visit the following Web site:
- ENCRYPTED_TEXT_PASSWORD_ALLOWED - The user can send an
- TEMP_DUPLICATE_ACCOUNT - This is an account for users whose
primary account is in another domain. This account provides user access to this
domain, but not to any domain that trusts this domain. This is sometimes
referred to as a local user account.
- NORMAL_ACCOUNT - This is a default account type that
represents a typical user.
- INTERDOMAIN_TRUST_ACCOUNT - This is a permit to trust an
account for a system domain that trusts other domains.
- WORKSTATION_TRUST_ACCOUNT - This is a computer account for
a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft
Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000
Server and is a member of this domain.
- SERVER_TRUST_ACCOUNT - This is a computer account for a
domain controller that is a member of this domain.
- DONT_EXPIRE_PASSWD - Represents the password, which should
never expire on the account.
- MNS_LOGON_ACCOUNT - This is an MNS logon account.
- SMARTCARD_REQUIRED - When this flag is set, it forces the
user to log on by using a smart card.
- TRUSTED_FOR_DELEGATION - When this flag is set, the service
account (the user or computer account) under which a service runs is trusted
for Kerberos delegation. Any such service can impersonate a client requesting
the service. To enable a service for Kerberos delegation, you must set this
flag on the userAccountControl property of the service account.
- NOT_DELEGATED - When this flag is set, the security context
of the user is not delegated to a service even if the service account is set as
trusted for Kerberos delegation.
- USE_DES_KEY_ONLY - (Windows 2000/Windows Server 2003)
Restrict this principal to use only Data Encryption Standard (DES) encryption
types for keys.
- DONT_REQUIRE_PREAUTH - (Windows 2000/Windows Server 2003)
This account does not require Kerberos pre-authentication for logging
- PASSWORD_EXPIRED - (Windows 2000/Windows Server 2003) The
user's password has expired.
- TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
- PARTIAL_SECRETS_ACCOUNT - (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server.
These are the default UserAccountControl
values for the certain objects:
Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)
Article ID: 305144 - Last Review: June 8, 2011 - Revision: 11.0
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows Small Business Server 2003 Premium Edition
- Microsoft Windows Small Business Server 2003 Standard Edition
- Windows Server 2008 Datacenter
- Windows Server 2008 Enterprise
- Windows Server 2008 R2 Datacenter
- Windows Server 2008 R2 Enterprise
- Windows Server 2008 R2 Standard
- Windows Server 2008 Standard