User Security Attributes

In addition to naming properties for user objects, for example, objectGUID, objectSid, cn, distinguishedName, and so on, there are other security properties used for logon, network access, and access control. These properties are used by the Windows security system and can be viewed and managed by the Active Directory User and Computers snap-in.

accountExpires

The accountExpires attribute specifies when an account expires. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of TIMEQ_FOREVER (defined in Lmaccess.h) indicates that an account never expires.

altSecurityIdentities

The altSecurityIdentities attribute is a multi-valued attribute that contains mappings for X.509 certificates or external Kerberos user accounts to this user for the purpose of authentication. Various security packages, including Public Key authentication package and Kerberos, use this data to authenticate users when they present the alternative form of identification such as certificate, UNIX Kerberos ticket, and so on. Build a Windows 2000 token based on the corresponding user account such that they can access system resources.

For X.509 certificates, the values should be the Issuer and Subject names in 509v3 certificates, issued by an external public certification authority, that map to the user account used to find an account for authentication. The SSL (Schannel) package uses the following syntax: X509:<somecertinfotype>somecertinfo. For example, the following value specifies the issuer DN "<I>" with the DN "C=US,O=InternetCA,CN=APublicCertificateAuthority" and the subject DN "<S>" with the DN "C=US,O=Fabrikam,OU=Sales,CN=Jeff Smith".

X509:<I>C=US,O=InternetCA,CN=APublicCertificateAuthority<S>C=US,O=Fabrikam,OU=Sales,CN=Jeff Smith

Be aware that "<S>" or "<I>" and "<S>" are supported. Having only "<I>" is not supported. Applications should not modify the values within "<I>" or "<S>" because partial DN matching is not supported.

For external Kerberos accounts, the values should be the Kerberos account name. The Kerberos package uses the following syntax: Kerberos:MITaccountname. For example, the following is the value for an account at Fabrikam.com:

Kerberos:Jeff.Smith@Fabrikam.com

badPasswordTime

Non-replicated. The badPasswordTime attribute specifies the last time the user attempted to log on to the account using an incorrect password. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). This attribute is maintained separately on each domain controller in the domain. A value of zero means that the last bad password time is unknown. To get an accurate value for the user's last bad password time in the domain, each domain controller in the domain must be queried and the largest value should be used.

badPwdCount

Non-replicated. The badPwdCount attribute specifies the number of times the user attempted to log on to the account using an incorrect password. This attribute is maintained separately on each domain controller in the domain. A value of 0 indicates that the value is unknown. To get an accurate value for the user's total bad password attempts in the domain, each domain controller in the domain must be queried and the sum of the values should be used.

codePage

The codePage attribute specifies the code page for the user's chosen language. This value is not used by Windows.

countryCode

The countryCode attribute specifies the country/region code for the user's language. This value is not used by Windows.

homeDirectory

The homeDirectory attribute specifies the path of the home directory for the user. The string can be null.

If homeDrive is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string.

If homeDrive is not set, homeDirectory should be a local path, for example, C:\mylocaldir.

homeDrive

The homeDrive attribute specifies the drive letter to which to map the UNC path specified by homeDirectory. The drive letter must be specified in the following form:

<drive letter>:

where "<drive letter>" is the letter of the drive to map. For example:

Z:

If this attribute is not set, the homeDirectory should be a local path, for example, C:\mylocaldir.

lastLogoff

Non-replicated. The lastLogoff attribute specifies when the last logoff occurred. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). The high part of this large integer corresponds to the dwHighDateTime member of the FILETIME structure and the low part corresponds to the dwLowDateTime member of the FILETIME structure. This attribute is maintained separately on each domain controller in the domain. A value of zero means that the last logoff time is unknown. To get an accurate value for the user's last logoff in the domain, each domain controller in the domain must be queried and the largest value should be used.

lastLogon

Non-replicated. The lastLogon attribute specifies when the last logon occurred. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). The high part of this large integer corresponds to the dwHighDateTime member of the FILETIME structure and the low part corresponds to the dwLowDateTime member of the FILETIME structure. This attribute is maintained separately on each domain controller in the domain. A value of zero means that the last logon time is unknown. To get an accurate value for the user's last logon in the domain, each domain controller in the domain must be queried and the largest value should be used.

lmPwdHistory

The lmPwdHistory attribute is the password history of the user in LAN Manager (LM) one-way format (OWF). The LM OWF is used for compatibility with LAN Manager 2.x clients, Windows 95, and Windows 98. This attribute is used only by the operating system. Be aware that you cannot derive the plaintext password from the OWF form of the password.

logonCount

Non-replicated. The logonCount attribute counts the number of successful times that the user tried to log on to this account. This attribute is maintained on each domain controller in the domain. A value of 0 indicates that the value is unknown. To get an accurate value for the user's total number of successful logon attempts in the domain, each domain controller in the domain must be queried and the sum of the values should be used.

mail

The mail attribute is a single-valued attribute that contains the SMTP address for the user, for example, jeff@Fabrikam.com.

maxStorage

The maxStorage attribute specifies the maximum amount of hard-disk drive space that the user can use. Use the USER_MAXSTORAGE_UNLIMITED (defined in Lmaccess.h) value to use all available disk space.

memberOf

The memberOf attribute is a multi-valued attribute that contains groups of which the user is a direct member, except for the primary group, which is represented by the primaryGroupId. Group membership is dependent on the domain controller (DC) from which this attribute is retrieved:

  • At a DC for the domain that contains the user, memberOf for the user is complete with respect to membership for groups in that domain; however, memberOf does not contain the user's membership in domain local and global groups in other domains.
  • At a GC server, memberOf for the user is complete with respect to all universal group memberships.

If both conditions are true for the DC, both sets of data are contained in memberOf.

Be aware that this attribute lists the groups that contain the user in their member attribute—it does not contain the recursive list of nested predecessors. For example, if user O is a member of group C and group B and group B were nested in group A, the memberOf attribute of user O would list group C and group B, but not group A.

This attribute is not stored—it is a computed back-link attribute.

ntPwdHistory

The ntPwdHistory attribute is the password history of the user in Windows NT one-way format (OWF). Windows uses the Windows NT OWF. This attribute is used only by the operating system. Be aware that you cannot derive the plaintext password back from the OWF form of the password.

otherMailbox

The otherMailbox attribute is a multi-valued attribute that contains other additional mail addresses in a form, for example, CCMAIL: JeffSmith.

PasswordExpirationDate

The password expiration date is not an attribute on the user object. It is a calculated value based on the sum of pwdLastSet for the user and maxPwdAge of the user's domain. To get the password expiration date, get the IADsUser.PasswordExpirationDate property. You cannot modify this attribute for a user; instead, set the IADsDomain.MaxPasswordAge property to change the setting for the domain.

primaryGroupId

The primaryGroupId attribute is a single-valued attribute that contains the primaryGroupToken of the group that is the primary group of the object. The primary group of the object is not included in the memberOf attribute. For example, by default, the primary group of a user object is the primaryGroupToken of the Domain Users group, but the Domain Users group is not part of the user object's memberOf attribute.

profilePath

The profilePath attribute specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path.

pwdLastSet

The pwdLastSet attribute specifies when the password was last changed. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC).

The system uses the value of this attribute and the maxPwdAge attribute of the domain that contains the user object to calculate the password expiration date. That is, the sum of pwdLastSet for the user and maxPwdAge of the user's domain.

This attribute controls whether the user must change the password when the user logs on next. If pwdLastSet is zero, the default, the user must change the password at next logon. The value -1 indicates that the user is not required to change the password at next logon. The system sets this value to -1 after user has set the password.

sAMAccountType

The sAMAccountType attribute specifies an integer that represents the account type. This is set by the operating system when the object is created.

scriptPath

The scriptPath attribute specifies the path of the user's logon script, .cmd, .exe, or .bat file. The string can be null.

tokenGroups

The tokenGroups attribute is a multi-valued attribute that contains the SID of all groups of which the user is a direct and indirect member, including for the primary group. This attribute can only be retrieved if a Global Catalog (GC) server is present to retrieve the transitive reverse memberships.

Be aware that this attribute lists the groups that contain the user in their member attribute, as well as groups that contain those groups in their member attribute, and so on recursively. For example, if user O is a member of group C and group B and group B were nested in group A, the tokenGroups attribute of user O would list group C, group B, and group A.

The tokenGroups attribute is a useful attribute for obtaining a list of group memberships in just two LDAP queries: the first to get the list of group SIDs from the tokenGroups attribute of the user, the second using that list of SIDs to get the name attribute of each group. It avoids the need to make multiple searches to expand the primaryGroupId attribute and recursively expand the memberOf attribute.

unicodePwd

The unicodePwd attribute is the user password.

To set the user password, use the IADsUser.ChangePassword method, if your script or application enables the user to change his/her own password, or IADsUser.SetPassword method, if your script or application is allowing an administrator to reset a password.

The password of the user in Windows NT one-way format (OWF). Windows uses the Windows NT OWF. This attribute is used only by operating system. Be aware that you cannot derive the plaintext password back from the OWF form of the password.

userAccountControl

The userAccountControl attribute specifies flags that control password, lockout, disable/enable, script, and home directory behavior for the user. This attribute also contains a flag that indicates the account type of the object. The user object usually has the UF_NORMAL_ACCOUNT set.

The following flags are defined in Lmaccess.h.

Flag Description
UF_SCRIPT The logon script executed. This value must be set for LAN Manager 2.0 or Windows NT.
UF_ACCOUNTDISABLE The user account is disabled.
UF_HOMEDIR_REQUIRED The home directory is required. This value is ignored in Windows NT and Windows 2000.
UF_PASSWD_NOTREQD No password is required.
UF_PASSWD_CANT_CHANGE The user cannot change the password.
UF_LOCKOUT The account is currently locked. This value can be cleared to unlock a previously locked account. This value cannot be used to lock a previously locked account.
UF_DONT_EXPIRE_PASSWD Represents the password, which should never expire on the account.

The following flags describe the account type. Only one value can be set. You cannot change the account type.

Flag Description
UF_NORMAL_ACCOUNT This is a default account type that represents a typical user.
UF_TEMP_DUPLICATE_ACCOUNT This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. The User Manager refers to this account type as a local user account.
UF_WORKSTATION_TRUST_ACCOUNT This is a computer account for a Windows NT Workstation/Windows 2000 Professional or Windows NT Server/Windows 2000 Server that is a member of this domain.
UF_SERVER_TRUST_ACCOUNT This is a computer account for a Windows NT Backup Domain Controller that is a member of this domain.
UF_INTERDOMAIN_TRUST_ACCOUNT This is a permit to trust account for a Windows NT domain that trusts other domains.

userCertificate

The userCertificate attribute is a multi-valued attribute that contains the DER-encoded X509v3 certificates issued to the user. Be aware that this attribute contains the public key certificates issued to this user by Microsoft Certificate Service.

userSharedFolder

The userSharedFolder attribute specifies a UNC path to the user's shared documents folder. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string.

userWorkstations

The userWorkstations attribute is a single-valued attribute that contains the NetBIOS names of the workstations from which the user can log on to. Each NetBIOS name is separated by a comma.

If no values are set, this indicates that there is no restriction. To disable logons from all workstations to this account, set the UF_ACCOUNTDISABLE value (defined in Lmaccess.h) in userAccountControl attribute.