3.1.1.4.5.17 msDS-User-Account-Control-Computed
The msDS-User-Account-Control-Computed attribute has different behavior on AD DS and AD LDS.
Let TO be the object from which the msDS-User-Account-Control-Computed attribute is being read.
For AD DS, the following description applies.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
P E |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
L O |
0 |
0 |
0 |
0 |
Note Bits are presented in big-endian byte order.
If the object TO is not in a domain NC, TO!msDS-User-Account-Control-Computed = 0.
If the object TO is in a domain NC, let D be the root of that NC, and let ST be the current time, read from the system clock. Then the value of TO!msDS-User-Account-Control-Computed is the preceding bit pattern, where:
LO (ADS_UF_LOCKOUT, 0x00000010) is set if:
(none of bits ADS_UF_WORKSTATION_TRUST_ACCOUNT, ADS_UF_SERVER_TRUST_ACCOUNT, ADS_UF_INTERDOMAIN_TRUST_ACCOUNT are set in TO!userAccountControl)
and (TO!lockoutTime is nonzero and either (1) Effective-LockoutDuration (regarded as an unsigned quantity) < 0x8000000000000000, or (2) ST + Effective-LockoutDuration (regarded as a signed quantity) ≤ TO!lockoutTime ), where Effective-LockoutDuration is defined in [MS-SAMR] section 3.1.1.5.
PE (ADS_UF_PASSWORD_EXPIRED, 0x00800000) is set if:
(none of bits ADS_UF_SMARTCARD_REQUIRED, ADS_UF_DONT_EXPIRE_PASSWD, ADS_UF_WORKSTATION_TRUST_ACCOUNT, ADS_UF_SERVER_TRUST_ACCOUNT, ADS_UF_INTERDOMAIN_TRUST_ACCOUNT are set in TO!userAccountControl)
and (TO!pwdLastSet = null, or TO!pwdLastSet = 0, or (Effective-MaximumPasswordAge ≠ 0x8000000000000000 and (ST - TO!pwdLastSet) > Effective-MaximumPasswordAge)), where Effective-MaximumPasswordAge is defined in [MS-SAMR] section 3.1.1.5.
For AD LDS, the following description applies.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
P |
0 |
0 |
0 |
0 |
0 |
0 |
D |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
P |
L |
0 |
0 |
A |
0 |
Note Bits are presented in big-endian byte order.
The value of TO!msDS-User-Account-Control-Computed attribute is the preceding bit pattern, where:
AD (ADS_UF_ACCOUNT_DISABLE, 0x00000002) is set if:
TO!msDS-UserAccountDisabled is TRUE
LO (ADS_UF_LOCKOUT, 0x00000010) is set if:
TO!ms-DS-UserAccountAutoLocked is TRUE
PNR (ADS_UF_PASSWD_NOTREQD, 0x00000020) is set if:
TO!ms-DS-UserPasswordNotRequired is TRUE
DEP (ADS_UF_DONT_EXPIRE_PASSWD, 0x00010000) is set if:
TO!msDS-UserDontExpirePassword is TRUE
PE (ADS_UF_PASSWORD_EXPIRED, 0x00800000) is set if:
TO!msDS-UserPasswordExpired is TRUE