000022991 - Which Microsoft Active Directory attribute property flag is checked for LDAP Disable/Enabled State?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022991
Applies ToRSA ACE/Server
RSA Authentication Manager
LDAP Disabled/Enabled State
UserAccountControl
LDAP MAP
Microsoft Active Directory
UserAccountControl
IssueWhich Microsoft Active Directory attribute property flag is checked for LDAP Disable/Enabled State?
Resolution

In the LDAP map active.map under the \ace\utils\toolkit\ directory, the Optional Field "LDAP Disabled/Enabled State" is mapped to the UserAccountControl attribute of an Active Directory User Account. The UserAccountControl attribute is a 32-bit integer consisting of many flags. The AccountDisable flag (value 0x0002 in hexadecimal or 2 in decimal) is the only flag that being checked on by LDAP synchronization code to confirm if an account is disabled.

The following table lists possible flags that you can assign. You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service. Note that Ldp.exe shows the values in hexadecimal. Adsiedit.msc displays the values in decimal. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).

NOTE: You can directly edit Active Directory in both Ldp.exe and Adsiedit.msc. Only experienced administrators should use these tools to edit Active Directory. Both tools are available after you install the Support tools from your original Windows installation media.

For more information, refer to Microsoft's web site at: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144

Property flagValue in hexadecimalValue in decimal
SCRIPT0x00011
ACCOUNTDISABLE0x00022
HOMEDIR_REQUIRED0x00088
LOCKOUT0x001016
PASSWD_NOTREQD0x002032
PASSWD_CANT_CHANGE
Note You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the "Property flag descriptions" section.
0x004064
ENCRYPTED_TEXT_PWD_ALLOWED0x0080128
TEMP_DUPLICATE_ACCOUNT0x0100256
NORMAL_ACCOUNT0x0200512
INTERDOMAIN_TRUST_ACCOUNT0x08002048
WORKSTATION_TRUST_ACCOUNT0x10004096
SERVER_TRUST_ACCOUNT0x20008192
DONT_EXPIRE_PASSWORD0x1000065536
MNS_LOGON_ACCOUNT0x20000131072
SMARTCARD_REQUIRED0x40000262144
TRUSTED_FOR_DELEGATION0x80000524288
NOT_DELEGATED0x1000001048576
USE_DES_KEY_ONLY0x2000002097152
DONT_REQ_PREAUTH0x4000004194304
PASSWORD_EXPIRED0x8000008388608
TRUSTED_TO_AUTH_FOR_DELEGATION0x100000016777216
Legacy Article IDa29005

Attachments

    Outcomes