RSS

AD 用户属性userAccountControl的详细解释

23 Feb

userAccountControl记录了用户的一些非常有意思的信息,但是该值只是一个数字,那么随意一个数字你能解析出它表示什么么?

比如

66050

怎么样,有点崩溃吧。其实也很简单,微软kbhttp://support.microsoft.com/?id=305144解释了很清楚了。

Property flag

Value in hexadecimal

Value in decimal

SCRIPT

0x0001

1

ACCOUNTDISABLE

0x0002

2

HOMEDIR_REQUIRED

0x0008

8

LOCKOUT

0x0010

16

PASSWD_NOTREQD

0x0020

32

PASSWD_CANT_CHANGE

0x0040

64

ENCRYPTED_TEXT_PWD_ALLOWED

0x0080

128

TEMP_DUPLICATE_ACCOUNT

0x0100

256

NORMAL_ACCOUNT

0x0200

512

INTERDOMAIN_TRUST_ACCOUNT

0x0800

2048

WORKSTATION_TRUST_ACCOUNT

0x1000

4096

SERVER_TRUST_ACCOUNT

0x2000

8192

DONT_EXPIRE_PASSWORD

0x10000

65536

MNS_LOGON_ACCOUNT

0x20000

131072

SMARTCARD_REQUIRED

0x40000

262144

TRUSTED_FOR_DELEGATION

0x80000

524288

NOT_DELEGATED

0x100000

1048576

USE_DES_KEY_ONLY

0x200000

2097152

DONT_REQ_PREAUTH

0x400000

4194304

PASSWORD_EXPIRED

0x800000

8388608

TRUSTED_TO_AUTH_FOR_DELEGATION

0x1000000

16777216

 

针对上面那个66050你这么来解析

66050=65536+512+2
分别表示密码永不过期,用户状态正常,用户被禁用

相关的ldap查询请查看

域内LDAP查询的一些解决方案

如果要委任某个用户组可以针对ou进行用户的禁用你可以使用:
DSACLS "<DN of some OU>" /G "<sAMAccountName group>:RPWP;userAccountControl;user" /I:S

Advertisements
 
Leave a comment

Posted by on February 23, 2009 in Windows Server

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: