Managing Basic User Account Properties in Active Directory

Many of the important behaviors associated with a Windows account in Active Directory, such as enabled/disabled status, are controlled by an attribute called userAccountControl. This attribute contains a 32-bit integer that represents a bitwise enumeration of various flags that control account behavior.

These flags are represented in ADSI by an enumerated constant called ADS_USER_FLAG. Because this enumeration is so important in terms of working with user objects in System.DirectoryServices (SDS), we will convert the ADSI enumeration into a .NET-style enumeration, as shown in Listing 10.2.

Listing 10.2: User Account Control Flags

[Flags]
public enum AdsUserFlags
{ 
  Script = 1,                          // 0x1
  AccountDisabled = 2,                 // 0x2
  HomeDirectoryRequired = 8,           // 0x8 
  AccountLockedOut = 16,               // 0x10
  PasswordNotRequired = 32,            // 0x20
  PasswordCannotChange = 64,           // 0x40
  EncryptedTextPasswordAllowed = 128,  // 0x80
  TempDuplicateAccount = 256,          // 0x100
  NormalAccount = 512,                 // 0x200
  InterDomainTrustAccount = 2048,      // 0x800
  WorkstationTrustAccount = 4096,      // 0x1000
  ServerTrustAccount = 8192,           // 0x2000
  PasswordDoesNotExpire = 65536,       // 0x10000
  MnsLogonAccount = 131072,            // 0x20000
  SmartCardRequired = 262144,          // 0x40000
  TrustedForDelegation = 524288,       // 0x80000
  AccountNotDelegated = 1048576,       // 0x100000
  UseDesKeyOnly= 2097152,              // 0x200000
  DontRequirePreauth= 4194304,         // 0x400000
  PasswordExpired = 8388608,           // 0x800000
  TrustedToAuthenticateForDelegation = 16777216, // 0x1000000
  NoAuthDataRequired = 33554432        // 0x2000000
}

As we look through the members of this enumeration, we see a variety of words we associate with Windows accounts, such as AccountDisabled and PasswordNotRequired (the last one we hope you never use!). We also see some flags that we probably do not recognize, such as MnsLogonAccount and UseDesKeyOnly. For the most part, the esoteric flags are not important in daily account management tasks, so we can ignore them. Chances are, if we need these flags we are probably quite aware of them already.

The important thing to note is that even though 21 flags are currently defined for use with the userAccountControl attribute, Active Directory does not actually use all of them! Specifically, the ones that are not meaningful to Active Directory are

• AccountLockedOut
• PasswordCannotChange
• PasswordExpired

Active Directory actually uses different mechanisms to control these account properties, so do not try to read them from userAccountControl! We discuss how to deal with the special cases in the upcoming sections.