{"id":5530,"date":"2019-08-29T21:45:30","date_gmt":"2019-08-30T02:45:30","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=5530"},"modified":"2021-03-17T23:22:41","modified_gmt":"2021-03-18T04:22:41","slug":"finding-disabled-accounts-in-active-directory","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=5530","title":{"rendered":"Finding Disabled Accounts In Active Directory"},"content":{"rendered":"

When using Active Directory (AD) as a source of user data, it’s useful to filter out disabled<\/em> accounts. Unfortunately, AD has a lot of different security-related settings glomed together in the userAccountControl attribute. Which means there’s no single attribute\/value combination you can use to ignore disabled accounts.<\/p>\n

The decimal value you see for userAccountControl isn’t terribly useful, but display it in binary and each bit position has a meaning. The userAccountControl value is just the number with a bunch of bits set. Numbering the bits from left to right, here is what each one means.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Bit #<\/td>\nMeaning<\/td>\n<\/tr>\n
0<\/td>\nUnused – must be 0<\/td>\n<\/tr>\n
1<\/td>\nUnused – must be 0<\/td>\n<\/tr>\n
2<\/td>\nUnused – must be 0<\/td>\n<\/tr>\n
3<\/td>\nUnused – must be 0<\/td>\n<\/tr>\n
4<\/td>\nUnused – must be 0<\/td>\n<\/tr>\n
5<\/td>\nADS_UF_PARTIAL_SECRETS_ACCOUNT<\/td>\n<\/tr>\n
6<\/td>\nADS_UF_NO_AUTH_DATA_REQUIRED<\/td>\n<\/tr>\n
7<\/td>\nADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION<\/td>\n<\/tr>\n
8<\/td>\nADS_UF_PASSWORD_EXPIRED<\/td>\n<\/tr>\n
9<\/td>\nADS_UF_DONT_REQUIRE_PREAUTH<\/td>\n<\/tr>\n
10<\/td>\nADS_UF_USE_DES_KEY_ONLY<\/td>\n<\/tr>\n
11<\/td>\nADS_UF_NOT_DELEGATED<\/td>\n<\/tr>\n
12<\/td>\nADS_UF_TRUSTED_FOR_DELEGATION<\/td>\n<\/tr>\n
13<\/td>\nADS_UF_SMARTCARD_REQUIRED<\/td>\n<\/tr>\n
14<\/td>\nUnused – must be 0<\/td>\n<\/tr>\n
15<\/td>\nADS_UF_DONT_EXPIRE_PASSWD<\/td>\n<\/tr>\n
16<\/td>\nUnused – must be 0<\/td>\n<\/tr>\n
17<\/td>\nUnused – must be 0<\/td>\n<\/tr>\n
18<\/td>\nADS_UF_SERVER_TRUST_ACCOUNT<\/td>\n<\/tr>\n
19<\/td>\nADS_UF_WORKSTATION_TRUST_ACCOUNT<\/td>\n<\/tr>\n
20<\/td>\nADS_UF_INTERDOMAIN_TRUST_ACCOUNT<\/td>\n<\/tr>\n
21<\/td>\nUnused – must be 0<\/td>\n<\/tr>\n
22<\/td>\nADS_UF_NORMAL_ACCOUNT<\/td>\n<\/tr>\n
23<\/td>\nUnused – must be 0<\/td>\n<\/tr>\n
24<\/td>\nADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED<\/td>\n<\/tr>\n
25<\/td>\nADS_UF_PASSWD_CANT_CHANGE<\/td>\n<\/tr>\n
26<\/td>\nADS_UF_PASSWD_NOTREQD<\/td>\n<\/tr>\n
27<\/td>\nADS_UF_LOCKOUT<\/td>\n<\/tr>\n
28<\/td>\nADS_UF_HOMEDIR_REQUIRED<\/td>\n<\/tr>\n
29<\/td>\nUnused – must be 0<\/td>\n<\/tr>\n
30<\/td>\nADS_UF_ACCOUNT_DISABLE<\/td>\n<\/tr>\n
31<\/td>\nUnused – must be 0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Bit #30 indicates if the account is disabled — 1 if the account is disabled, 0 if the account is enabled. Simple and direct approach is to “and” the attribute value with 0b10 to extract just<\/em> the bit we care about. When the and operation returns 0, the account is enabled. When it returns 2 (0x10), the account is disabled.<\/p>\n

\"\"<\/a><\/p>\n

A list of userAccountControl values and the corresponding meaning:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
userAccountControl Value<\/td>\nMeaning<\/td>\n<\/tr>\n
1<\/td>\nLogon script executes<\/td>\n<\/tr>\n
2<\/td>\nAccount Disabled<\/td>\n<\/tr>\n
8<\/td>\nHome Directory Required<\/td>\n<\/tr>\n
16<\/td>\nLockout<\/td>\n<\/tr>\n
32<\/td>\nPassword Not Required<\/td>\n<\/tr>\n
64<\/td>\nUser cannot change password<\/td>\n<\/tr>\n
128<\/td>\nEncrypted text password not allowed<\/td>\n<\/tr>\n
256<\/td>\nTemporary Duplicate Account<\/td>\n<\/tr>\n
512<\/td>\nNormal active account<\/td>\n<\/tr>\n
514<\/td>\nNormal disabled account<\/td>\n<\/tr>\n
544<\/td>\nPassword not required, enabled account<\/td>\n<\/tr>\n
546<\/td>\nPassword not required, disabled account<\/td>\n<\/tr>\n
2048<\/td>\nInter-domain trust account<\/td>\n<\/tr>\n
4096<\/td>\nWorkstation trust account<\/td>\n<\/tr>\n
8192<\/td>\nServer trust account<\/td>\n<\/tr>\n
65536<\/td>\nNo password expiry<\/td>\n<\/tr>\n
66048<\/td>\nPassword never expires, enabled account<\/td>\n<\/tr>\n
66050<\/td>\nPassword never expires, disabled account<\/td>\n<\/tr>\n
66082<\/td>\nPassword never expires and is not required, enabled account<\/td>\n<\/tr>\n
66084<\/td>\nPassword never expires and is not required, disabled account<\/td>\n<\/tr>\n
131072<\/td>\nMNS Login account<\/td>\n<\/tr>\n
262144<\/td>\nSmartcard required<\/td>\n<\/tr>\n
262656<\/td>\nSmartcard required, enabled account<\/td>\n<\/tr>\n
262658<\/td>\nSmartcard required, disabled account<\/td>\n<\/tr>\n
262688<\/td>\nEnabled account, password not required, smartcard required<\/td>\n<\/tr>\n
262690<\/td>\nDisabled account, password not required, smartcard required<\/td>\n<\/tr>\n
328192<\/td>\nEnabled account, password doesn’t expire, smartcard required<\/td>\n<\/tr>\n
328194<\/td>\nDisabled account, password doesn’t expire, smartcard required<\/td>\n<\/tr>\n
328224<\/td>\nEnabled account, password doesn’t expire, password not required, smartcard required<\/td>\n<\/tr>\n
328226<\/td>\nDisabled account, password doesn’t expire, password not required, smartcard required<\/td>\n<\/tr>\n
524288<\/td>\nTrusted for delegation<\/td>\n<\/tr>\n
532480<\/td>\nDomain controller<\/td>\n<\/tr>\n
1048576<\/td>\nNot delegated<\/td>\n<\/tr>\n
2097152<\/td>\nUse DES key only<\/td>\n<\/tr>\n
4194304<\/td>\nDon’t require pre-authorization<\/td>\n<\/tr>\n
8388608<\/td>\nPassword expired<\/td>\n<\/tr>\n
16777216<\/td>\nTrusted to auth for delegation<\/td>\n<\/tr>\n
67108864<\/td>\nPartial secrets account<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

When using Active Directory (AD) as a source of user data, it’s useful to filter out disabled accounts. Unfortunately, AD has a lot of different security-related settings glomed together in the userAccountControl attribute. Which means there’s no single attribute\/value combination you can use to ignore disabled accounts. The decimal value you see for userAccountControl isn’t …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[68,814],"class_list":["post-5530","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-active-directory","tag-useraccountcontrol"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/5530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5530"}],"version-history":[{"count":3,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/5530\/revisions"}],"predecessor-version":[{"id":7564,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/5530\/revisions\/7564"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}