000032426 - How to update the LDAP Active Directory Connector UserAccountConrol attribute for use with RSA Via Lifecycle and Governance (L&G) 6.9.1 P08

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Nov 15, 2019
Version 4Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000032426
Applies ToRSA Product Set: RSA Via Lifecycle & Governance
RSA Product/Service Type: Appliance
RSA Version/Condition: 6.9.1 P08
Platform: JBoss
 
IssueThe UserAccountControl attribute in Active Directory is used to manipulate the flags on an account. Basic use cases include disabling and enabling the account. For other scenarios, the correct values are needed to change the account appropriately.
Resolution

The reference table below can be used to pass the correct values when updating the userAccessControl value.  




  

Property Flag


  
  

Value in Hexadecimal 


  
  

Value in Decimal


  

  

ACCOUNTDISABLE


  
  

0x0002.


  
  

2


  

  

NORMAL_ACCOUNT


  
  

0x0200


  
  

512


  

  

PASSWD_NOTREQD


  
  

0x0020


  
  

32


  

  

PASSWD_CANT_CHANGE


  
  

0x0040


  
  

64


  

  

DONT_EXPIRE_PASSWORD


  
  

0x10000


  
  

65536


  

  

PASSWORD_EXPIRED


  
  

0x800000


  
  

8388608


  

  

HOMEDIR_REQUIRED


  
  

0x0008


  
  

8


  

  

LOCKOUT


  
  

0x0010


  
  

16


  

  

ENCRYPTED_TEXT_PWD_ALLOWED


  
  

0x0080


  
  

128


  

  

TEMP_DUPLICATE_ACCOUNT


  
  

0x0100


  
  

256


  

  

SCRIPT


  
  

0x0001


  
  

1


  

  

INTERDOMAIN_TRUST_ACCOUNT


  
  

0x0800


  
  

2048


  

  

WORKSTATION_TRUST_ACCOUNT


  
  

0x1000


  
  

4096


  

  

SERVER_TRUST_ACCOUNT


  
  

0x2000


  
  

8192


  

  

MNS_LOGON_ACCOUNT


  
  

0x20000


  
  

131072


  

  

SMARTCARD_REQUIRED


  
  

0x40000


  
  

262144


  

  

TRUSTED_FOR_DELEGATION


  
  

0x80000


  
  

524288


  

  

NOT_DELEGATED


  
  

0x100000


  
  

1048576


  

  

USE_DES_KEY_ONLY


  
  

0x200000


  
  

2097152


  

  

DONT_REQ_PREAUTH


  
  

0x400000


  
  

4194304


  

  

TRUSTED_TO_AUTH_FOR_DELEGATION


  
  

0x1000000


  
  

16777216


  

  

PARTIAL_SECRETS_ACCOUNT


  
  

0x04000000


  
  

67108864


  
NotesLDAP Active Directory AFX connector expects the User Account Control(UAC) value from the appropriate string or combinations from the table in the ‘property flag’ column.
e.g.
1. ACCOUNTDISABLE can be provided to disable an account,
2. “NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD” can be provided to enable an account which is in disabled state and to set flag as password never expires

Using an incorrect string or a numeric value will result in it being ignored, as if the field were left empty.

Attachments

    Outcomes