Mastering UserAccountControl Flags in Windows Server: A Comprehensive Guide

Table of Contents

In the realm of Windows Server administration, understanding and managing user and computer accounts is fundamental. A critical aspect of account management lies within the UserAccountControl attribute, a powerful property stored in Active Directory that governs various characteristics and permissions of an account. This attribute isn’t a simple on/off switch; instead, it’s a bitmask, where each bit represents a specific flag that enables or disables a particular feature or status for the account.

Modifying the UserAccountControl property allows administrators to control everything from whether an account is enabled or disabled to complex settings like password requirements and Kerberos delegation. Since it’s a bitmask, multiple flags can be set simultaneously on a single account, resulting in a combined numerical value. Understanding the individual flags and how they interact is essential for effective and secure identity management within a Windows domain environment.

Understanding the UserAccountControl Attribute¶

The UserAccountControl attribute is an integer value found on user and computer objects within Active Directory. Each specific setting related to the account’s behavior corresponds to a unique bit within this integer. When a flag is “set” or enabled, the corresponding bit is 1; otherwise, it’s 0. The final integer value is the sum of the decimal values of all set bits.

For example, if an account has the ACCOUNTDISABLE flag set (decimal value 2) and the NORMAL_ACCOUNT flag set (decimal value 512), the UserAccountControl value would be 2 + 512 = 514. When viewing this attribute using tools like AD Users and Computers, you typically see a user-friendly description, but behind the scenes, the system relies on this numerical representation. Managing these flags programmatically, such as with PowerShell or scripts, often involves working directly with the bitmask values.

Key UserAccountControl Flags¶

The UserAccountControl attribute encompasses a wide array of flags, each serving a distinct purpose. Here is a breakdown of some of the most common and important flags you will encounter when managing accounts in Windows Server environments:

• SCRIPT (Value: 1): This flag indicates that a logon script should be executed when the user logs on. Logon scripts are often used to configure the user’s environment, map drives, or run applications upon startup. When this flag is set, the system looks for a script specified in the user’s profile properties.
• ACCOUNTDISABLE (Value: 2): This is perhaps one of the most frequently used flags. Setting this flag disables the user account, preventing the user from logging on to the domain or accessing domain resources. It’s commonly used when an employee leaves the organization or when an account needs to be temporarily suspended.
• HOMEDIR_REQUIRED (Value: 8): This flag specifies that a home folder is required for the user account. If a home directory is not configured or is inaccessible, the user may encounter issues or be prevented from logging in, depending on the system configuration.
• PASSWD_NOTREQD (Value: 32): Setting this flag means that no password is required for the account. This is generally considered a high-risk setting and should be used with extreme caution, typically only for very specific service accounts or scenarios where security is managed through other means.
• PASSWD_CANT_CHANGE (Value: 64): This flag prevents the user from changing their password. While it appears as a simple flag here, programmatically setting this involves modifying permissions on the user object itself, specifically granting or denying the “Change Password” permission. This is often used for service accounts or shared accounts where password changes need to be centrally controlled.
• **ENCRYPTED_TEXT_PASSWORD_ALLOWED (Value: 128): This flag indicates that the user can send an encrypted password. Its usage is less common in modern environments and relates to older password protocols.
• TEMP_DUPLICATE_ACCOUNT (Value: 256): This denotes a temporary account for users whose primary account resides in another domain. This account grants the user access to this domain but does not extend trust to other domains that trust this one. It’s sometimes referred to as a local user account in the context of a domain trust scenario.
• NORMAL_ACCOUNT (Value: 512): This is the default account type for a typical user. Most standard user accounts will have this flag set alongside others like ACCOUNTDISABLE or password-related flags. It signifies a standard user object as opposed to a system or trust account.
• INTERDOMAIN_TRUST_ACCOUNT (Value: 2048): This flag identifies an account that permits trust for a system domain that trusts other domains. These accounts are automatically created and managed by the system for establishing and maintaining domain trusts.
• WORKSTATION_TRUST_ACCOUNT (Value: 4096): This represents a computer account for a workstation or server (running older Windows versions like NT 4.0, Windows 2000) that is a member of this domain. These accounts are created when a machine is joined to the domain.
• SERVER_TRUST_ACCOUNT (Value: 8192): This is a computer account specifically for a domain controller that is a member of this domain. These accounts are critical for the functioning of the domain and are created during the domain controller promotion process.
• DONT_EXPIRE_PASSWD (Value: 65536): When this flag is set, the password for this account is configured not to expire. This is often used for service accounts or administrative accounts where frequent password changes could disrupt services or workflows. However, it should be used cautiously due to security implications.
• MNS_LOGON_ACCOUNT (Value: 131072): This flag is related to Microsoft Network Service (MNS) logon accounts. Its relevance has diminished with newer Windows Server versions.
• SMARTCARD_REQUIRED (Value: 262144): Setting this flag forces the user to log on using a smart card. This is a strong authentication method commonly used in high-security environments. When this flag is set, traditional password-based logon methods are typically disabled or bypassed.
• TRUSTED_FOR_DELEGATION (Value: 524288): This is a highly sensitive flag. When set on a user or computer account under which a service runs, it allows that service account to be trusted for Kerberos delegation. A service running under such an account can impersonate a client requesting the service and authenticate as that client to other servers. This must be configured carefully to avoid security vulnerabilities.
• NOT_DELEGATED (Value: 1048576): When this flag is set on a user account, it prevents the user’s security context from being delegated to a service, even if the service account running the service is marked as TRUSTED_FOR_DELEGATION. This provides a way to restrict delegation for specific users.
• USE_DES_KEY_ONLY (Value: 2097152): (Windows 2000/Windows Server 2003) This flag restricts the principal (user or computer) to using only Data Encryption Standard (DES) encryption types for Kerberos keys. DES is considered cryptographically weak by modern standards and this flag should generally not be used.
• DONT_REQUIRE_PREAUTH (Value: 4194304): (Windows 2000/Windows Server 2003) This flag indicates that the account doesn’t require Kerberos pre-authentication for logging on. Pre-authentication helps protect against password guessing attacks, so disabling it is generally not recommended.
• PASSWORD_EXPIRED (Value: 8388608): (Windows 2000/Windows Server 2003) This flag signifies that the user’s password has expired. While listed as a UserAccountControl flag in older documentation, in modern AD this status is typically managed separately and not directly represented by this modifiable flag value.
• TRUSTED_TO_AUTH_FOR_DELEGATION (Value: 16777216): (Windows 2000/Windows Server 2003) Similar to TRUSTED_FOR_DELEGATION, this flag enabled delegation. It’s a security-sensitive setting allowing a service under the account to assume a client’s identity and authenticate to other remote servers.

It’s important to note that some flags are mutually exclusive or are automatically set/unset by the system based on other configurations. For instance, an account cannot be both ACCOUNTDISABLE and actively logged in using NORMAL_ACCOUNT. Also, flags like WORKSTATION_TRUST_ACCOUNT and SERVER_TRUST_ACCOUNT are specific to computer objects, not user objects.

Working with UserAccountControl Values¶

Since UserAccountControl is a bitmask, its value is the sum of the decimal values of all set flags. This is crucial when viewing or modifying the attribute programmatically.

Here is a table of some common UserAccountControl flag values and their meanings:

Flag Name	Decimal Value	Hexadecimal Value	Description
SCRIPT	1	0x1	Logon script will run.
ACCOUNTDISABLE	2	0x2	Account is disabled.
HOMEDIR_REQUIRED	8	0x8	Home folder is required.
PASSWD_NOTREQD	32	0x20	No password is required.
PASSWD_CANT_CHANGE	64	0x40	User cannot change password.
NORMAL_ACCOUNT	512	0x200	Typical user account.
DONT_EXPIRE_PASSWD	65536	0x10000	Password should never expire.
SMARTCARD_REQUIRED	262144	0x40000	Requires smart card for logon.
TRUSTED_FOR_DELEGATION	524288	0x80000	Account is trusted for Kerberos delegation.
NOT_DELEGATED	1048576	0x100000	User’s security context cannot be delegated.

Administrators commonly combine flags to achieve desired account states. For instance:
* A standard enabled user with password expiry: NORMAL_ACCOUNT (512).
* A disabled user account: ACCOUNTDISABLE (2) + NORMAL_ACCOUNT (512) = 514.
* A service account that cannot change its password and whose password doesn’t expire: NORMAL_ACCOUNT (512) + PASSWD_CANT_CHANGE (64) + DONT_EXPIRE_PASSWD (65536) = 66112.

These values are what you would see if you queried the UserAccountControl attribute directly using tools like ldp.exe or PowerShell.

Managing UserAccountControl Flags¶

Managing these flags can be done through various methods in Windows Server:

Active Directory Users and Computers (ADUC)¶

The most common graphical tool is ADUC. While you don’t see the numerical bitmask directly, the checkboxes on the ‘Account’ tab of a user or computer object’s properties correspond to specific UserAccountControl flags.

For example, the “Account is disabled” checkbox maps directly to the ACCOUNTDISABLE flag. The “Password never expires” checkbox maps to the DONT_EXPIRE_PASSWD flag. The “User cannot change password” option on the ‘General’ tab, while linked to the PASSWD_CANT_CHANGE flag, is also tied to permissions, as mentioned earlier. Advanced features like delegation settings are configured on the ‘Delegation’ tab, which sets the TRUSTED_FOR_DELEGATION or TRUSTED_TO_AUTH_FOR_DELEGATION flags.

PowerShell¶

PowerShell is an indispensable tool for scripting and automating Active Directory management, including UserAccountControl flags. The Get-ADUser and Set-ADUser cmdlets (or Get-ADComputer and Set-ADComputer) are used to read and modify the UserAccountControl property.

To view the current UserAccountControl value for a user:

Get-ADUser -Identity <username> -Properties UserAccountControl | Select-Object UserAccountControl

This will output the numerical value. To see the flags represented by this value, you can use a bitwise comparison or a helper function.

To set or modify flags, you typically add or remove the decimal values using bitwise operators. For example, to disable an account, you add the ACCOUNTDISABLE value (2) to the existing UserAccountControl value. To enable it, you subtract it. PowerShell provides -Add and -Remove parameters for the UserAccountControl property in Set-ADUser which simplifies this process by directly using the flag names (as an enumeration) or their decimal values.

To disable a user account:

Set-ADUser -Identity <username> -AccountExpirationDate ([DateTime]::MaxValue) -Enabled $false

Note: While you *can manipulate the raw UserAccountControl bits for enable/disable, using the -Enabled parameter in Set-ADUser is the standard and recommended way.*

To set the “Password Never Expires” flag:

Set-ADUser -Identity <username> -PasswordNeverExpires $true

To add a specific flag using the numerical value (less common now with -Add and -Remove parameters for UserAccountControl enumeration):

$user = Get-ADUser -Identity <username> -Properties UserAccountControl
$currentUac = $user.UserAccountControl
$dontExpirePasswd = 65536 # DONT_EXPIRE_PASSWD value
$newUac = $currentUac -bor $dontExpirePasswd # Use bitwise OR to add the flag
Set-ADUser -Identity <username> -UserAccountControl $newUac

To remove a specific flag using the numerical value:

$user = Get-ADUser -Identity <username> -Properties UserAccountControl
$currentUac = $user.UserAccountControl
$dontExpirePasswd = 65536 # DONT_EXPIRE_PASSWD value
$newUac = $currentUac -bxor $dontExpirePasswd # Use bitwise XOR to remove the flag
Set-ADUser -Identity <username> -UserAccountControl $newUac

Modern PowerShell versions allow using the enumeration names directly, which is cleaner:

Set-ADUser -Identity <username> -UserAccountControl @{Add="DONT_EXPIRE_PASSWD"}
Set-ADUser -Identity <username> -UserAccountControl @{Remove="DONT_EXPIRE_PASSWD"}

dsmod and dsquery Commands¶

Older command-line tools like dsmod user and dsquery user can also be used to manage these flags, although PowerShell is generally preferred for its flexibility and power.

To disable a user with dsmod:

dsmod user "cn=<username>,cn=Users,dc=<domain>,dc=com" -disabled yes

To enable:

dsmod user "cn=<username>,cn=Users,dc=<domain>,dc=com" -disabled no

Other attributes corresponding to UserAccountControl flags can also be modified using dsmod.

LDP.exe¶

The LDP (LDAP Directory Interchange Format) tool is a GUI tool used for querying and modifying objects in an LDAP directory like Active Directory. It allows you to connect to a Domain Controller, browse the directory tree, and view or edit attributes. When viewing an object in LDP, the UserAccountControl attribute is displayed as a decimal integer. You can manually calculate the value for desired flags and input that number when modifying the attribute. This is a lower-level tool and less user-friendly for daily management compared to ADUC or PowerShell but useful for troubleshooting.

Common Scenarios and Best Practices¶

• Account Creation: When creating a new user account, the NORMAL_ACCOUNT flag is typically set by default. Other flags, like requiring a password change at the next logon (not a UserAccountControl flag itself, but related account state), are often configured during creation.
• Disabling Accounts: When an employee leaves or an account is compromised, setting the ACCOUNTDISABLE flag is standard practice. It’s recommended to disable accounts rather than deleting them immediately, as this preserves the account’s history and permissions for auditing purposes.
• Service Accounts: Service accounts often require the PASSWD_CANT_CHANGE and DONT_EXPIRE_PASSWD flags. They may also be configured for delegation (TRUSTED_FOR_DELEGATION) if they need to authenticate as clients to other services. These accounts should be tightly controlled and their privileges minimized.
• Security Hardening: Flags like PASSWD_NOTREQD should be avoided. Ensuring SMARTCARD_REQUIRED is used where strong authentication is needed enhances security. Careful management of delegation flags (TRUSTED_FOR_DELEGATION, NOT_DELEGATED) is paramount to prevent potential attacks.
• Automation: Use PowerShell to automate tasks involving UserAccountControl flags, such as bulk disabling accounts or standardizing settings for different types of accounts.

Visualizing Account State Changes¶

Understanding how flags change as an account moves through its lifecycle can be helpful. Here’s a simple Mermaid diagram illustrating a possible flow for a user account:

mermaid graph TD A[Account Creation] --> B(NORMAL_ACCOUNT = 512); B --> C{User Logs On}; C --> D[Account Enabled - Default Flags]; D --> E{Account Disabled?}; E -- Yes --> F(ACCOUNTDISABLE<br>NORMAL_ACCOUNT<br>UAC = 514); E -- No --> G{Password Expiration?}; G -- Never --> H(DONT_EXPIRE_PASSWD<br>NORMAL_ACCOUNT<br>UAC = 66048); G -- Standard --> D; F --> I[Account Disabled]; I --> J{Re-enable?}; J -- Yes --> D; I --> K[Account Deletion];

This diagram simplifies the process but shows how enabling/disabling changes the UserAccountControl value. Setting other flags like DONT_EXPIRE_PASSWD further modifies the value.

Exploring Further¶

To deepen your understanding, consider exploring resources that demonstrate practical examples of managing these flags using PowerShell or other scripting languages. Looking into how these flags are used in specific security contexts, such as configuring constrained delegation or auditing account status changes, can also be highly beneficial.

Here is a potentially relevant YouTube video demonstrating how to modify account options which include UserAccountControl flags:

Note: Replace "ExampleVideoID" with an actual relevant YouTube video ID. A search for "Manage UserAccountControl PowerShell" or "Disable Active Directory User" should yield suitable examples.

Conclusion¶

The UserAccountControl attribute is a fundamental component of account management in Windows Server and Active Directory. By mastering the individual flags and understanding how they combine as a bitmask, administrators gain granular control over user and computer account behavior, security settings, and capabilities like delegation. Whether using graphical tools, command-line utilities, or scripting with PowerShell, a solid grasp of UserAccountControl is essential for maintaining a secure and well-managed Active Directory environment.

What challenges have you faced when working with UserAccountControl flags, or what are your preferred methods for managing them? Share your thoughts and experiences in the comments below!