Click or drag to resize
Galactic API

ActiveDirectoryUserAccountControl Enumeration

Flags for use with the UserAccountControl and ms-DS-User-Account-Control-Computed properties of a user.

Namespace:  Galactic.ActiveDirectory
Assembly:  Galactic.ActiveDirectory (in Galactic.ActiveDirectory.dll) Version: 1.3.0.499 (1.3.0.499)
Syntax
public enum UserAccountControl
Members
  Member nameValueDescription
Script1 The logon script will be run.
Accountdisable2 The user account is disabled.
HomedirRequired8 The home folder is required.
Lockout16 Only available via ms-DS-User-Account-Control-Computed attribute.
PasswdNotreqd32 No password is required.
PasswdCantChange64 The user cannot change the password. This is a permission on the user's object. For information about how to set this permission, visit the following Web site: http://msdn2.microsoft.com/en-us/library/aa746398.aspx
EncryptedTextPwdAllowed128 The user can send an encrypted password.
TempDuplicateAccount256 This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account.
NormalAccount512 This is a default account type that represents a typical user.
InterdomainTrustAccount2048 This is a permit to trust an account for a system domain that trusts other domains.
WorkstationTrustAccount4096 This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.
ServerTrustAccount8192 This is a computer account for a domain controller that is a member of this domain.
DontExpirePassword65536 Represents the password, which should never expire on the account.
MNSLogonAccount131072 This is an MNS logon account.
SmartcardRequired262144 When this flag is set, it forces the user to log on by using a smart card.
TrustedForDelgation524288 When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
NotDelegated1048576 When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
UseDESKeyOnly2097152 (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption for keys.
DontReqPreauth4194304 (Windows 2000/Windows Server 2003) This account does not require Kerberos pre-authentication for logging on.
PasswordExpired8388608 Only available via ms-DS-User-Account-Control-Computed attribute. (Windows 2000/Windows Server 2003) The user's password has expired.
TrustedToAuthForDelegation16777216 (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
PartialSecretsAccount67108864 Only available via ms-DS-User-Account-Control-Computed attribute. (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server.
UseAESKeys134217728 Only available via ms-DS-User-Account-Control-Computed attribute.
See Also