UserAccountControl Attribute Values

In this article, you will learn about the UserAccountControl attribute in Active Directory. In addition, I’ve created a table that lists all of the UserAccountControl property flags with a description, you can search and filter the table.

What is the UserAccountControl attribute?

UserAccountControl is an attribute on user and computer objects in Active Directory. This attribute represents various settings and flags that tells Windows which user account options to enable. For example, when an account is disabled the UserAccountControl value for that account will be 514.

You can use the UserAccountControl attribute to search for accounts with a specific setting or update user account settings. When viewing this attribute, the value will be displayed in Decimal or Hexadecimal format. You can use the table below to see a description of each value.

UserAccountControl Attributes are Cumulative (Important)

This is very important to understand when working with the UserAccountControl attribute.

The UserAccountControl Attribute value is cumulative, meaning the number will increase when additional account properties are set. This is important to understand when searching for accounts with a specific flag, as you may be searching for the wrong value.

Let’s look at an example.

When a user account is created it typically has the value of 512 (0x200 in Hexadecimal).

attribute editor

When the account is disabled the value changes to 514 (0x202 in Hexadecimal). If you look up the UserAccountControl value for a disabled account, it will be 0x002 (Decimal 2). So why did the account change to 514?

useraccountcontrol 514

Why does the value change to 514?

  • Normal User Account = 512
  • Disabled Account = 2
  • Add these together you get 514

Pretty straight forward but is important to know when searching and looking at the UserAccountControl value for user accounts.

List of UserAccountControl Property Flags

Tip #1: UserAccountControl flags are cumulative (see above).
Tip #2: You can’t set some of the values because these values can only be set by the directory service.

Property flagHexadecimal ValueDecimal ValueDescription
SCRIPT0x00011The logon script will be run.
ACCOUNTDISABLE0x00022The user account is disabled.
HOMEDIR_REQUIRED0x00088The home folder is required.
LOCKOUT0x001016The account locked
PASSWD_NOTREQD0x002032No password is required.
PASSWD_CANT_CHANGE0x004064 The user can’t change the password.
ENCRYPTED_TEXT_PWD_ALLOWED0x0080128The user can send an encrypted password.
TEMP_DUPLICATE_ACCOUNT0x0100256It’s an account for users whose primary account is in another domain.
NORMAL_ACCOUNT 0x0200512 It’s a default account type that represents a typical user.
INTERDOMAIN_TRUST_ACCOUNT0x08002048It’s a permit to trust an account for a system domain that trusts other domains.
WORKSTATION_TRUST_ACCOUNT0x10004096It’s a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, NT 4.0 Server, 2000 PRO or 2000 server and is a member of this domain.
SERVER_TRUST_ACCOUNT0x20008192It’s a computer account for a domain controller that is a member of this domain.
DONT_EXPIRE_PASSWORD 0x1000065536Represents the password, which should never expire on the account.
MNS_LOGON_ACCOUNT0x20000131072It’s an MNS logon account.
SMARTCARD_REQUIRED0x40000262144When this flag is set, it forces the user to log on by using a smart card.
TRUSTED_FOR_DELEGATION0x80000524288When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation.
NOT_DELEGATED0x1000001048576When this flag is set, the security context of the user isn’t delegated to a service even if the service account is set as trusted for Kerberos delegation.
USE_DES_KEY_ONLY0x2000002097152(Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys
DONT_REQ_PREAUTH0x4000004194304(Windows 2000/Windows Server 2003) This account doesn’t require Kerberos pre-authentication for logging on.
PASSWORD_EXPIRED0x800000 8388608(Windows 2000/Windows Server 2003) The user’s password has expired.
TRUSTED_TO_AUTH_FOR_DELEGATION0x100000016777216(Windows 2000/Windows Server 2003) The account is enabled for delegation. It’s a security-sensitive setting
PARTIAL_SECRETS_ACCOUNT0x0400000067108864(Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). It’s a security-sensitive setting.

How to View the UserAccountControl Attribute

In this section, I’ll show you how to view the UserAccountControl attribute using Active Directory and PowerShell.

Step 1. Open ADUC

Open Active Directory users and computers console.

Step 2. Open a User Account

Open any account and click on the attribute editor tab. Scroll down to the UserAccountControl attribute.

open user account in active directory

In the Attribute Editor box, it’s going to display the Hexadecimal value. If you edit the attribute, it will display the Decimal value.

view useraccountcontrol attribute

Step 3. Using PowerShell

To get the UserAccountControl value using PowerShell use this command.

get-aduser -identity USERNAME -properties * | select name, useraccountcontrol
powershell get useraccountcontrol

How to Find Accounts with a Certain UserAccountControl Flag

You can easily search Active Directory for accounts that have a specific UserAccountControl Flag.

Example 1. Find accounts with the 512 (Normal) flag

In this example, I use equal to PowerShell operator to for the 512 value.

get-aduser -filter * -properties UserAccountControl | where {$_.UserAccountControl -eq 512} | select name, UserAccountControl
powershell get 512 flag

Example 2. Find accounts that are not normal

In this example, I use the not equal to operator to list all accounts that are not 512.

get-aduser -filter * -properties UserAccountControl | where {$_.UserAccountControl -ne 512} | select name, UserAccountControl
powershell get not normal accounts

Example 3. AD Pro Toolkit

The AD Pro Toolkit includes over 200 built in reports. You can quickly run reports with just a few mouse clicks. The search box lets you filter and search the report.

search useraccountcontrol for all users

In the below screenshot, I search for any account that is set to PasswordDoesNotExpire. You can see the UAC Decimal numbers are different for some users, this is because accounts have multiple settings enabled. With the toolkit you can search on all columns which makes it easy to find specific accounts.

How to Change UserAccountControl Attribute

Warning: You should not blindly change the UserAccountControl attribute. This is not a typical task and should only be done under specific circumstances. In addition, if you’re going to do this for multiple accounts, you should test it on 1 or 2 to make sure it has the desired effects.

There are a few ways you can change the UserAccountControl attribute.

  1. Manually using ADUC
  2. PowerShell
  3. AD Pro Toolkit

Manually using ADUC

With ADUC you can open the user account and edit the userAccountControl attribute then enter a new value. For example, this accounts value is 514, I will change it to 512.

change useraccountcontrol attribute

In the value box I will enter 512 and click OK.

change from 514 to 512

Change UserAccountControl with PowerShell

You can use the set-aduser cmdlet to change the UserAccountControl attribute. In this example I change the value from 514 to 512.

set-aduser -identity healther.jay -replace @{useraccountcontrol=512}

There is also the set-ADAccountControl cmdlet that lets you modify the UserAccountControl values.

Set-ADAccountControl -Identity healther.jay -PasswordNotRequired $False

References

Leave a Comment