About UserAccountControl

UserAccountControl FLAG

UserAccountControl 理论上的最大值为  4,294,967,295 (十进制) FF FF FF FF (八进制) or 1111 1111 1111 1111 1111 1111 1111 1111 (二进制).

但实际上 可到达的最大值为67,058,683 (十进制) 3 FF 3B FB (八进制) or 11 1111 1111 0011 1011 1111 1011 (二进制)

如图所示 打X表示该位被忽略, UserAccountControl Flag上没有这个属性值

wKiom1Y1daSSbcU_AAK7f8SURew575.jpg

 

每一个flag或者bit都可以组合成为一个更大的数值来表示更为复杂的用户账户属性,例如一个通用账户被禁用和锁定

•ADS_UF_ACCOUNTDISABLE  == 2

•ADS_UF_LOCKOUT == 16

•ADS_UF_NORMAL_ACCOUNT == 512

可组合值为 530==512+16+2

如图所示

wKioL1Y1diKg729bAAE76C_bFBI763.jpg

 

UserAccountControl Value

Flag value (binary)

(decimal)

 

0000000000000000000000000000000x

 Reserved,  the value must always be 0

00000000000000000000000000000010

 UF_ACCOUNT_DISABLE

00000000000000000000000000000x00

  Reserved,  the value must always be 0

00000000000000000000000000001000

 UF_HOMEDIR_REQUIRED

00000000000000000000000000010000

16 

 UF_LOCKOUT

00000000000000000000000000100000

32 

 UF_PASSWD_NOTREQD

00000000000000000000000001000000

64 

 UF_PASSWD_CANT_CHANGE

00000000000000000000000010000000

128 

 UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED

00000000000000000000000x00000000

256 

 Reserved,  the value must always be 0

00000000000000000000001000000000

512 

 UF_NORMAL_ACCOUNT

000000000000000000000x0000000000

1024 

 Reserved,  the value must always be 0

00000000000000000000100000000000

2048 

 UF_INTERDOMAIN_TRUST_ACCOUNT

00000000000000000001000000000000

4096 

 UF_WORKSTATION_TRUST_ACCOUNT

00000000000000000010000000000000

8192 

UF_SERVER_TRUST_ACCOUNT

00000000000000000x00000000000000

16384 

 Reserved,  the value must always be 0

0000000000000000x000000000000000

32768 

 Reserved,  the value must always be 0

00000000000000010000000000000000

65536 

 UF_DONT_EXPIRE_PASSWD

00000000000000100000000000000000

131072 

 UF_MNS_LOGON_ACCOUNT

00000000000001000000000000000000

262144 

 UF_SMARTCARD_REQUIRED

00000000000010000000000000000000

524288 

 UF_TRUSTED_FOR_DELEGATION

00000000000100000000000000000000

1048576 

 UF_NOT_DELEGATED

00000000001000000000000000000000

2097152 

 UF_USE_DES_KEY_ONLY

00000000010000000000000000000000

4194304 

 UF_DONT_REQUIRE_PREAUTH

00000000100000000000000000000000

8388608 

 UF_PASSWORD_EXPIRED

00000001000000000000000000000000

16777216 

 UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION

00000010000000000000000000000000

33554432 

 UF_NO_AUTH_DATA_REQUIRED

00000100000000000000000000000000

67108864 

 UF_PARTIAL_SECRETS_ACCOUNT [Read Only Domain  Controllers]

0000x000000000000000000000000000

134217728 

 Reserved,  the value must always be 0

000x0000000000000000000000000000

268435456 

 Reserved,  the value must always be 0

00x00000000000000000000000000000

536870912 

 Reserved,  the value must always be 0

0x000000000000000000000000000000

1073741824 

 Reserved,  the value must always be 0

x0000000000000000000000000000000

2147483648 

 Reserved,  the value must always be 0

 

附上

Eg: userAccountControl常用的组合值

512 账户正常

514  账户禁用

544  账户正常,下次登录需要设置密码 

546  账户禁用 下次登录需要设置密码 

2080  2048 信任域间可信账户 + 32 无需密码

66048   账户正常+ 65536 密码永不过期

66050   账户禁用+密码永不过期

66080  账户正常+密码永不过期+32 无需密码

66082  账户禁用+密码永不过期+32 无需密码

328192  512 账户正常+65536 密码永不过期+262144 需要智能卡登录

 

相关参考

http://www.jigsolving.com/activedirectory/user-account-attributes-part-5

UserAccountControl Attribute/Flag Values

 MSDN-User-Account-Control attribute