3.1.1.8.10 userAccountControl

  1. If the UF_LOCKOUT bit (section 2.2.1.13) is set and the lockoutTime attribute is nonzero, the lockoutTime attribute MUST be updated to a value of zero.

  2. The following bits, if set, MUST be unset before committing the transaction: UF_LOCKOUT and UF_PASSWORD_EXPIRED.

  3. If the UF_SERVER_TRUST_ACCOUNT bit is set, all of the following constraints MUST be satisfied:

    1. The primaryGroupId attribute MUST be updated to the value DOMAIN_GROUP_RID_CONTROLLERS.

    2. If the previous primaryGroupId value is NOT DOMAIN_GROUP_RID_COMPUTERS, let G be the group whose objectSid value has the RID of the previous primaryGroupId on the current object. G's member attribute MUST be updated to add a reference to the current object if it is not already present; processing errors for this constraint MUST be ignored.

  4. If either UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION or UF_TRUSTED_FOR_DELEGATION is set, the client's token MUST be retrieved using the method described in [MS-RPCE] section 3.3.3.4.3. The RpcImpersonationAccessToken.Privileges[] field MUST have the SE_ENABLE_DELEGATION_NAME privilege (defined in [MS-LSAD] section 3.1.1.2.1). Otherwise, the server MUST abort processing and return STATUS_ACCESS_DENIED.

  5. If any of the following bits are set, the client MUST have the associated control access right (defined in [MS-ADTS] section 5.1.3.2.1) on the ntSecurityDescriptor for the account domain object, per an access check. (Information about the access check mechanism is specified in [MS-ADTS] section 5.1.3.3.) If this constraint fails, the server MUST abort processing and return STATUS_ACCESS_DENIED.

    userAccountControlBit

    Required control access right

    UF_PASSWD_NOTREQD

    Update-Password-Not-Required-Bit

    UF_DONT_EXPIRE_PASSWD

    Unexpire-Password

    UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED

    Enable-Per-User-Reversibly-Encrypted-Password

    UF_SERVER_TRUST_ACCOUNT

    DS-Install-Replica

    UF_PARTIAL_SECRETS_ACCOUNT

    DS-Install-Replica

  6. If the UF_SMARTCARD_REQUIRED bit is set and is NOT present in the previous value, the dBCSPwd and unicodePwd attributes MUST be updated with 16 bytes of random bytes, and all USER_PROPERTY elements MUST be removed from the supplementalCredentials attribute.

  7. If the UF_PASSWD_NOTREQD bit is removed from the userAccountControl value, the server MUST abort processing and return an error status if all of the following conditions are true:

    1. userAccountControl contains UF_NORMAL_ACCOUNT.

    2. userAccountControl does not contain the UF_ACCOUNTDISABLE.

    3. The Effective-MinimumPasswordLength attribute (see section 3.1.1.5) is nonzero.

  8. If the UF_INTERDOMAIN_TRUST_ACCOUNT bit is set, and the write request did not originate over the MS-LSAD protocol (see [MS-ADTS] section 6.1.6.9.7), the server MUST abort processing and return an error status.

  9. If both UF_USER_PARTIAL_SECRETS_ACCOUNT and UF_TRUSTED_FOR_DELEGATION are set, the server MUST abort processing and return an error status.

  10. If UF_USER_PARTIAL_SECRETS_ACCOUNT is set and UF_WORKSTATION_TRUST_ACCOUNT is not set, the server MUST abort processing and return an error status.

  11. If more than one of the following bits are set, the server MUST abort processing and return an error status.

    userAccountControlBit

    UF_NORMAL_ACCOUNT

    UF_INTERDOMAIN_TRUST_ACCOUNT

    UF_WORKSTATION_TRUST_ACCOUNT

    UF_SERVER_TRUST_ACCOUNT

  12. If the UF_TEMP_DUPLICATE_ACCOUNT is set, the server MUST abort processing and return an error status.

  13. If none of the following bits are set, the server MUST set the UF_NORMAL_ACCOUNT bit.

    userAccountControlBit

    UF_NORMAL_ACCOUNT

    UF_INTERDOMAIN_TRUST_ACCOUNT

    UF_WORKSTATION_TRUST_ACCOUNT

    UF_SERVER_TRUST_ACCOUNT

For more information about the UF_SERVER_TRUST_ACCOUNT and UF_WORKSTATION_TRUST_ACCOUNT bits, see the following citation in Appendix B: Product Behavior.<33>