The
UserAccountControl (UAC) attribute in Active Directory contains flags that define user account properties. These property flags have hexadecimal and decimal value numerical equivalents. To update the UAC attribute from an Active Directory AFX connector, pass the
Property Flag to the connector in the UAC field. Do not pass the numerical values as these will be ignored. To update multiple values, enter the
Property Flags separated by commas.
Below is a chart of the UAC P
roperty Flags taken from the Microsoft Support Knowledge Base Article entitled
How to use the UserAccountControl flags to manipulate user account properties.
Property Flag
|
Value in Hexadecimal
|
Value in Decimal
|
ACCOUNTDISABLE
|
0x0002.
|
2
|
NORMAL_ACCOUNT
|
0x0200
|
512
|
PASSWD_NOTREQD
|
0x0020
|
32
|
PASSWD_CANT_CHANGE
|
0x0040
|
64
|
DONT_EXPIRE_PASSWORD
|
0x10000
|
65536
|
PASSWORD_EXPIRED
|
0x800000
|
8388608
|
HOMEDIR_REQUIRED
|
0x0008
|
8
|
LOCKOUT
|
0x0010
|
16
|
ENCRYPTED_TEXT_PWD_ALLOWED
|
0x0080
|
128
|
TEMP_DUPLICATE_ACCOUNT
|
0x0100
|
256
|
SCRIPT
|
0x0001
|
1
|
INTERDOMAIN_TRUST_ACCOUNT
|
0x0800
|
2048
|
WORKSTATION_TRUST_ACCOUNT
|
0x1000
|
4096
|
SERVER_TRUST_ACCOUNT
|
0x2000
|
8192
|
MNS_LOGON_ACCOUNT
|
0x20000
|
131072
|
SMARTCARD_REQUIRED
|
0x40000
|
262144
|
TRUSTED_FOR_DELEGATION
|
0x80000
|
524288
|
NOT_DELEGATED
|
0x100000
|
1048576
|
USE_DES_KEY_ONLY
|
0x200000
|
2097152
|
DONT_REQ_PREAUTH
|
0x400000
|
4194304
|
TRUSTED_TO_AUTH_FOR_DELEGATION
|
0x1000000
|
16777216
|
PARTIAL_SECRETS_ACCOUNT
|
0x04000000
|
67108864
|
Below is an example of updating an account so a password is not required. In this example the account,
Rita Book, has a UAC value defined as:
0x10200={NORMAL_ACCOUNT|DONT_EXPIRE_PASSWD}
To update the account so that a password is not required, enter the
PASSWD_NOTREQD property flag in the UAC field of the connector capability:
Note the new UAC value is defined as:
0x220={PASSWD_NOTREQD|NORMAL_ACCOUNT}
IMPORTANT:
Using an incorrect string or a numeric value will result in the update being ignored as if the field were left empty. There are no error or failure messages.
NOTE: If you are unable to update the PASSWD_CANT_CHANGE flag, you may need a patch. Please see RSA Knowledge Base Article 000038108 -- UserAccountControl (UAC) attribute PASSWD_CANT_CHANGE is not updated by the Active Directory AFX connector in RSA Identity Governance & Lifecycle for more information.