LDAP – QUery Others 2


sAMAccountType

Name

Value

 

SAM_DOMAIN_OBJECT

0x0

 

SAM_GROUP_OBJECT

0x10000000

268435456

SAM_NON_SECURITY_GROUP_OBJECT

0x10000001

268435457

SAM_ALIAS_OBJECT

0x20000000

536870912

SAM_NON_SECURITY_ALIAS_OBJECT

0x20000001

536870913

SAM_USER_OBJECT

0x30000000

805306368

SAM_NORMAL_USER_ACCOUNT

0x30000000

805306368

SAM_MACHINE_ACCOUNT

0x30000001

805306369

SAM_TRUST_ACCOUNT

0x30000002

805306370

SAM_APP_BASIC_GROUP

0x40000000

1073741824

SAM_APP_QUERY_GROUP

0x40000001

1073741825

SAM_ACCOUNT_TYPE_MAX

0x7fffffff

2147483647

 

groupType

Value

Description

1 (0x00000001)

Specifies a group that is
created by the system.

2 (0x00000002)

Specifies a group with
global scope.

4 (0x00000004)

Specifies a group with
domain local scope.

8 (0x00000008)

Specifies a group with
universal scope.

16 (0x00000010)

Specifies an APP_BASIC
group for Windows Server Authorization Manager.

32 (0x00000020)

Specifies an APP_QUERY
group fir Windows Server Authorization Manager.

2147483648 (0x80000000)

Specifies a security group.
If this flag is not set, then the group is a distribution group.

 

userAccountControl

Value

Identifier (defined in iads.h)

Description

0x00000001

ADS_UF_SCRIPT

The logon script is
executed.

0x00000002

ADS_UF_ACCOUNTDISABLE

The user account is
disabled.

0x00000008

ADS_UF_HOMEDIR_REQUIRED

The home directory is
required.

0x00000010

ADS_UF_LOCKOUT

The account is currently
locked out.

0x00000020

ADS_UF_PASSWD_NOTREQD

No password is required.

0x00000040

ADS_UF_PASSWD_CANT_CHANGE

The user cannot change the
password.

Note  You cannot assign the permission settings
of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute.
For more information and a code example that shows how to prevent a user from
changing the password, see User
Cannot Change Password
.

0x00000080

ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED

The user can send an
encrypted password.

0x00000100

ADS_UF_TEMP_DUPLICATE_ACCOUNT

This is an account for users
whose primary account is in another domain. This account provides user access
to this domain, but not to any domain that trusts this domain. Also known as
a local user account.

0x00000200

ADS_UF_NORMAL_ACCOUNT

This is a default account
type that represents a typical user.

0x00000800

ADS_UF_INTERDOMAIN_TRUST_ACCOUNT

This is a permit to trust
account for a system domain that trusts other domains.

0x00001000

ADS_UF_WORKSTATION_TRUST_ACCOUNT

This is a computer account
for a computer that is a member of this domain.

0x00002000

ADS_UF_SERVER_TRUST_ACCOUNT

This is a computer account
for a system backup domain controller that is a member of this domain.

0x00004000

N/A

Not used.

0x00008000

N/A

Not used.

0x00010000

ADS_UF_DONT_EXPIRE_PASSWD

The password for this
account will never expire.

0x00020000

ADS_UF_MNS_LOGON_ACCOUNT

This is an MNS logon
account.

0x00040000

ADS_UF_SMARTCARD_REQUIRED

The user must log on using a
smart card.

0x00080000

ADS_UF_TRUSTED_FOR_DELEGATION

The service account (user or
computer account), under which a service runs, is trusted for Kerberos
delegation. Any such service can impersonate a client requesting the service.

0x00100000

ADS_UF_NOT_DELEGATED

The security context of the
user will not be delegated to a service even if the service account is set as
trusted for Kerberos delegation.

0x00200000

ADS_UF_USE_DES_KEY_ONLY

Restrict this principal to
use only Data Encryption Standard (DES) encryption types for keys.

0x00400000

ADS_UF_DONT_REQUIRE_PREAUTH

This account does not
require Kerberos pre-authentication for logon.

0x00800000

ADS_UF_PASSWORD_EXPIRED

The user password has
expired. This flag is created by the system using data from the Pwd-Last-Set
attribute and the domain policy.

0x01000000

ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION

The account is enabled for
delegation. This is a security-sensitive setting; accounts with this option
enabled should be strictly controlled. This setting enables a service running
under the account to assume a client identity and authenticate as that user
to other remote servers on the network.

Advertisements
This entry was posted in Scripts. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s