-
Title
UserAccountControl Flags and Active Roles Virtual Attributes -
Description
This article outlines the Active Roles Virtual Attributes to use in place of setting Bitwise values on userAccountControl.
-
Resolution
UserAccountControl Flags and Active Roles Virtual Attributes
The table below provides the list of native Active Directory userAccountControl flags to the corresponding Active Roles User Virtual Attributes. Setting the Active Roles attributes can simplify updating UserAccountControl instead of using Bitwise updates.
userAccountControl Flag
Bitwise Value
Active Roles Virtual Attribute (Boolean True/False)
Description
ACCOUNTDISABLE
2
edsaAccountIsDisabled
Disables the user account, preventing it from logging in.
PASSWD_CANT_CHANGE
64
edsaUserCannotChangePassword
Prevents the user from changing their own password.
DONT_EXPIRE_PASSWORD
65536
edsaPasswordNeverExpires
Sets the account password to never expire.
SMARTCARD_REQUIRED
262144
edsaSmartCardIsRequired
Requires the user to log in using a smart card.
TRUSTED_FOR_DELEGATION
524288
edsaAccountIsTrustedForDelegation
Enables the account to impersonate other accounts for delegation scenarios.
LOCKOUT
16
edsaAccountLockedOut
Indicates if the account is currently locked due to failed login attempts.
PASSWD_NOTREQD
32
edsaDoNotRequirePassword
Allows account creation without requiring a password.
DONT_REQUIRE_PREAUTH
4194304
edsaDoNotRequireKerberosPreauthentication
Disables Kerberos pre-authentication, often used for legacy systems.
HOMEDIR_REQUIRED
8
edsvaHomeDirectory
Specifies that a home directory is required for the account.
TRUSTED_TO_AUTH_FOR_DELEGATION
16777216
edsaTrustedToAuthenticateForDelegation
Allows the account to authenticate for delegation purposes.
NOT_DELEGATED
1048576
edsaAccountIsTrustedForDelegation
Prevents the account from being used in delegation scenarios.
EXPIRE_PASSWORD_IMMEDIATELY
8388608
edsvaUserMustChangePasswordAtNextLogon
Forces a password change at the next logon.