Appendix D. Reference data

 

This appendix contains a collection of reference data that I’ve found useful. This information is available on the web, but can some of it can be awkward to track down.

D.1. Active Directory: user account control

The user account control flags are used to set the properties on a user account, including whether it’s enabled or disabled. The attribute is a 32-bit integer where various bits have a particular meaning, as shown in table D.1.

Table D.1. User account control flags

Property

Decimal value

Hexadecimal value

Script (logon script will run) 1 0x01
Account Disabled 2 0x02
Home Directory Required 8 0x08
Account Locked Out 16 0x10
Password Not Required 32 0x20
Password Cannot Change 64 0x40
Encrypted Text Password Allowed 128 0x80
Temporary Duplicate Account 256 0x100
Normal Account 512 0x200
Interdomain Trust Account 2048 0x800
Workstation Trust Account 4096 0x1000
Server Trust Account 8192 0x2000
Do not Expire Password 65536 0x10000
MNS Logon account 131072 0x20000
Smartcard Required 262144 0x40000
Trusted for delegation 524288 0x80000
Not Delegated 1048576 0x100000
Use DES Key Only 2097152 0x200000
Do Not Require Kerberos Preauthentication for Logon 4194304 0x400000
Password Expired 8388608 0x800000
Trusted to Authenticate for Delegation 16777216 0x1000000
Note

Account Locked Out, Password Cannot Change, and Password Expired are not controlled through the useraccountcontrol attribute in Windows 2003 and later.

D.2. Local user accounts: userflags

D.3. LDAP Filters

D.4. Identity in Active Directory cmdlets

D.5. PowerShell filters in Active Directory cmdlets

D.6. Special folders