This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.

How to update the Active Directory UserAccountConrol (UAC) attribute with the Active Directory AFX Connector in RSA Identity Governance & Lifecycle

Article Number

000032426

Applies To

RSA Product Set: Identity Governance & Lifecycle 
RSA Version/Condition: All

 

Issue

This RSA Knowledge Base Article explains how to configure an Active Directory AFX Connector capability to update the UserAccountControl (UAC) attribute value in Active Directory.

Resolution

The UserAccountControl (UAC) attribute in Active Directory contains flags that define user account properties. These property flags have hexadecimal and decimal value numerical equivalents. To update the UAC attribute from an Active Directory AFX connector, pass the Property Flag to the connector in the UAC field. Do not pass the numerical values as these will be ignored. To update multiple values, enter the Property Flags separated by commas.

Below is a chart of the UAC Property Flags taken from the Microsoft Support Knowledge Base Article entitled How to use the UserAccountControl flags to manipulate user account properties.
 

Property Flag

Value in Hexadecimal 

Value in Decimal

ACCOUNTDISABLE

0x0002.

2

NORMAL_ACCOUNT

0x0200

512

PASSWD_NOTREQD

0x0020

32

PASSWD_CANT_CHANGE

0x0040

64

DONT_EXPIRE_PASSWORD

0x10000

65536

PASSWORD_EXPIRED

0x800000

8388608

HOMEDIR_REQUIRED

0x0008

8

LOCKOUT

0x0010

16

ENCRYPTED_TEXT_PWD_ALLOWED

0x0080

128

TEMP_DUPLICATE_ACCOUNT

0x0100

256

SCRIPT

0x0001

1

INTERDOMAIN_TRUST_ACCOUNT

0x0800

2048

WORKSTATION_TRUST_ACCOUNT

0x1000

4096

SERVER_TRUST_ACCOUNT

0x2000

8192

MNS_LOGON_ACCOUNT

0x20000

131072

SMARTCARD_REQUIRED

0x40000

262144

TRUSTED_FOR_DELEGATION

0x80000

524288

NOT_DELEGATED

0x100000

1048576

USE_DES_KEY_ONLY

0x200000

2097152

DONT_REQ_PREAUTH

0x400000

4194304

TRUSTED_TO_AUTH_FOR_DELEGATION

0x1000000

16777216

PARTIAL_SECRETS_ACCOUNT

0x04000000

67108864



Below is an example of updating an account so a password is not required. In this example the account, Rita Book, has a UAC value defined as:
 
0x10200={NORMAL_ACCOUNT|DONT_EXPIRE_PASSWD}

To update the account so that a password is not required, enter the PASSWD_NOTREQD property flag in the UAC field of the connector capability:
 
Image descriptionImage description

Note the new UAC value is defined as:
 
0x220={PASSWD_NOTREQD|NORMAL_ACCOUNT}
 

IMPORTANT:
Using an incorrect string or a numeric value will result in the update being ignored as if the field were left empty. There are no error or failure messages.

NOTE: If you are unable to update the PASSWD_CANT_CHANGE flag, you may need a patch. Please see RSA Knowledge Base Article 000038108 -- UserAccountControl (UAC) attribute PASSWD_CANT_CHANGE is not updated by the Active Directory AFX connector in RSA Identity Governance & Lifecycle for more information.

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-23 09:55 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.