Learn which controls can be applied to Active Directory accounts to control account properties.
User account controls in Identity Inventory describe the flags added to the UserAccountControl
attribute for Active Directory accounts. User account controls can expand or restrict
the abilities of an account. Examine user account controls for an identity for more
insight into an identity's capabilities and permissions.
The following table lists user account controls that may be shown for an identity
in Identity Inventory.
Active Directory User Account Controls
|
Control
|
Description
|
|
SCRIPT
|
Runs the logon script
|
|
ACCOUNTDISABLE
|
Disabled account
|
|
HOMEDIR_REQUIRED
|
Required the home folder
|
|
PASSWD_NOTREQD
|
No password required
|
|
PASSWD_CANT_CHANGE
|
Unable to change own account password
|
|
ENCRYPTED_TEXT_PASSWORD_ALLOWED
|
Can use an encrypted password
|
|
TEMP_DUPLICATE_ACCOUNT
|
Gives access to a particular domain, but not other trusted domains
|
|
NORMAL_ACCOUNT
|
Default account type
|
|
INTERDOMAIN_TRUST_ACCOUNT
|
Grants trust for a system domain that trusts other domains
|
|
WORKSTATION_TRUST_ACCOUNT
|
Computer account for a computer running Microsoft Windows NT 4.0 Workstation, Microsoft
Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server
and is a member of the domain
|
|
SERVER_TRUST_ACCOUNT
|
Computer account for a domain controller that is a member of the domain
|
|
DONT_EXPIRE_PASSWD
|
Indicates the account password should never expire
|
|
MNS_LOGON_ACCOUNT
|
Indicates an MNS logon account
|
|
SMARTCARD_REQUIRED
|
Forces the user to log on using a smart card
|
|
TRUSTED_FOR_DELEGATION
|
Grants trust for Kerberos delegation
|
|
NOT_DELEGATED
|
Indicates a service account not delegated to a particular service
|
|
USE_DES_KEY_ONLY
|
(Windows 2000/Windows Server 2003) Restricts a service principle to use only Data
Encryption Standard (DES) encryption types for keys
|
|
DONT_REQUIRE_PREAUTH
|
(Windows 2000/Windows Server 2003) Does not require Kerberos pre-authentication for
sign-on
|
|
PASSWORD_EXPIRED
|
(Windows 2000/Windows Server 2003) Indicates an expired password
|
|
TRUSTED_TO_AUTH_FOR_DELEGATION
|
(Windows 2000/Windows Server 2003) Allows a service that runs under the account assume
a client's identity and authenticate as that user to other remote servers
|
|
PARTIAL_SECRETS_ACCOUNT
|
(Windows Server 2008/Windows Server 2008 R2) Indicates a read-only domain controller
(RODC)
|