useraccountcontrol LDAP

Melker · ‎01-27-2021

Hi I'm trying to figure out how get the value from ldap import and userAccountControl attribute

I need to get the value for disabled.
ACCOUNTDISABLE 0x0002 2

Lockout
LOCKOUT 0x0010 16

Password can't change
PASSWD_CANT_CHANGE 0x0040 64

Password never expires
DONT_EXPIRE_PASSWORD 0x10000 65536

Smartcard
SMARTCARD_REQUIRED 0x40000 262144

and
password expired
PASSWORD_EXPIRED 0x800000 8388608
and all combinations of this values

Have create new true/false fields in the user table and want to populate it from LDAP import.

I have looked at some articles but they only refers to disabled account.
How can i extract different values i diffrent LDAP transforms script
Use the HEX value?

I'm new to SN scripting.

Melker · ‎02-01-2021

Thanks.
I missed that one. 🙂
I have now solved this

Created one for each value I want to get.
This is for Password expired.

This is for password never expires.
if (ctrl.substr(-5,1) == "1")

Thank all for the help to point me in the right direction

View solution in original post

Jon23 · ‎01-27-2021

Hi Melker,

I believe the userAccountControl Value comes back as a decimal so you should be able to write a field transform script to set your target value to true or false as needed.

Example:

answer = (function transformEntry(source) {

	var uac = (source.u_userAccountControl == 512) ? true : false;
	return uac; // return the value to be put into the target field

})(source);

useful resource: ldapwiki.com

Melker · ‎01-27-2021

The problem is that it adds up

So PW never expires and disabled is 65538
PASSWORD_EXPIRED and locked out 8388624

Jon23 · ‎01-28-2021

The following may help with the various values:

UserAccountControl Attribute/Flag Values

source: https://jackstromberg.com/2013/01/useraccountcontrol-attributeflag-values/

Property Flag	Value In Hexadecimal	Value In Decimal	Not Officially Documented
SCRIPT	0x0001	1
ACCOUNTDISABLE	0x0002	2
HOMEDIR_REQUIRED	0x0008	8
LOCKOUT	0x0010	16
PASSWD_NOTREQD	0x0020	32
PASSWD_CANT_CHANGE	0x0040	64
ENCRYPTED_TEXT_PWD_ALLOWED	0x0080	128
TEMP_DUPLICATE_ACCOUNT	0x0100	256
NORMAL_ACCOUNT	0x0200	512
Disabled Account	0x0202	514	x
Enabled, Password Not Required	0x0220	544	x
Disabled, Password Not Required	0x0222	546	x
INTERDOMAIN_TRUST_ACCOUNT	0x0800	2048
WORKSTATION_TRUST_ACCOUNT	0x1000	4096
SERVER_TRUST_ACCOUNT	0x2000	8192
DONT_EXPIRE_PASSWORD	0x10000	65536
Enabled, Password Doesn’t Expire	0x10200	66048	x
Disabled, Password Doesn’t Expire	0x10202	66050	x
Disabled, Password Doesn’t Expire & Not Required	0x10222	66082	x
MNS_LOGON_ACCOUNT	0x20000	131072
SMARTCARD_REQUIRED	0x40000	262144
Enabled, Smartcard Required	0x40200	262656	x
Disabled, Smartcard Required	0x40202	262658	x
Disabled, Smartcard Required, Password Not Required	0x40222	262690	x
Disabled, Smartcard Required, Password Doesn’t Expire	0x50202	328194	x
Disabled, Smartcard Required, Password Doesn’t Expire & Not Required	0x50222	328226	x
TRUSTED_FOR_DELEGATION	0x80000	524288
Domain controller	0x82000	532480
NOT_DELEGATED	0x100000	1048576
USE_DES_KEY_ONLY	0x200000	2097152
DONT_REQ_PREAUTH	0x400000	4194304
PASSWORD_EXPIRED	0x800000	8388608
TRUSTED_TO_AUTH_FOR_DELEGATION	0x1000000	16777216
PARTIAL_SECRETS_ACCOUNT	0x04000000	67108864

Melker · ‎01-28-2021

Thanks, Yes, I have that.
The question how can I script this.
Do have to create all possibilities in the script?
Or how can I convert to HEX so can read out the position and value from there.
I know how to do it with PowerShell, but I can't script java so well.