This article outlines the Active Roles Virtual Attributes to use in place of setting Bitwise values on userAccountControl.
The table below provides the list of native Active Directory userAccountControl flags to the corresponding Active Roles User Virtual Attributes. Setting the Active Roles attributes can simplify updating UserAccountControl instead of using Bitwise updates.
userAccountControl Flag |
Bitwise Value |
Active Roles Virtual Attribute (Boolean True/False) |
Description |
ACCOUNTDISABLE |
2 |
edsaAccountIsDisabled |
Disables the user account, preventing it from logging in. |
PASSWD_CANT_CHANGE |
64 |
edsaUserCannotChangePassword |
Prevents the user from changing their own password. |
DONT_EXPIRE_PASSWORD |
65536 |
edsaPasswordNeverExpires |
Sets the account password to never expire. |
SMARTCARD_REQUIRED |
262144 |
edsaSmartCardIsRequired |
Requires the user to log in using a smart card. |
TRUSTED_FOR_DELEGATION |
524288 |
edsaAccountIsTrustedForDelegation |
Enables the account to impersonate other accounts for delegation scenarios. |
LOCKOUT |
16 |
edsaAccountLockedOut |
Indicates if the account is currently locked due to failed login attempts. |
PASSWD_NOTREQD |
32 |
edsaDoNotRequirePassword |
Allows account creation without requiring a password. |
DONT_REQUIRE_PREAUTH |
4194304 |
edsaDoNotRequireKerberosPreauthentication |
Disables Kerberos pre-authentication, often used for legacy systems. |
HOMEDIR_REQUIRED |
8 |
edsvaHomeDirectory |
Specifies that a home directory is required for the account. |
TRUSTED_TO_AUTH_FOR_DELEGATION |
16777216 |
edsaTrustedToAuthenticateForDelegation |
Allows the account to authenticate for delegation purposes. |
NOT_DELEGATED |
1048576 |
edsaAccountIsTrustedForDelegation |
Prevents the account from being used in delegation scenarios. |
EXPIRE_PASSWORD_IMMEDIATELY |
8388608 |
edsvaUserMustChangePasswordAtNextLogon |
Forces a password change at the next logon. |
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center