用户帐户控制在活动目录中
本文关键字:活动 控制 用户 | 更新日期: 2023-09-27 18:31:45
>我想知道userAccountControl的当前值并确定它处于哪个阶段
参考: http://support.microsoft.com/kb/305144/en-us
根据上述文档,它应该将 2 的值返回 N 的幂。
但是当我运行我的 c# 程序时,它为普通帐户返回值 544,为禁用帐户返回值 546。 我怀疑它们是十进制数。 但是我如何链接回参考中显示的值?
谢谢。
您可以通过将结果转换为枚举来轻松解码。
int userAccountControlValue = 544;
UserAccountControl userAccountControl = (UserAccountControl) userAccountControlValue;
// This gets a comma separated string of the flag names that apply.
string userAccountControlFlagNames = userAccountControl.ToString();
// This is how you test for an individual flag.
bool isNormalAccount = (userAccountControl & UserAccountControl.NORMAL_ACCOUNT) == UserAccountControl.NORMAL_ACCOUNT;
bool isAccountDisabled = (userAccountControl & UserAccountControl.ACCOUNTDISABLE) == UserAccountControl.ACCOUNTDISABLE;
bool isAccountLockedOut = (userAccountControl & UserAccountControl.LOCKOUT) == UserAccountControl.LOCKOUT;
下面是所需的枚举定义:
/// <summary>
/// Flags that control the behavior of the user account.
/// </summary>
[Flags()]
public enum UserAccountControl : int
{
/// <summary>
/// The logon script is executed.
///</summary>
SCRIPT = 0x00000001,
/// <summary>
/// The user account is disabled.
///</summary>
ACCOUNTDISABLE = 0x00000002,
/// <summary>
/// The home directory is required.
///</summary>
HOMEDIR_REQUIRED = 0x00000008,
/// <summary>
/// The account is currently locked out.
///</summary>
LOCKOUT = 0x00000010,
/// <summary>
/// No password is required.
///</summary>
PASSWD_NOTREQD = 0x00000020,
/// <summary>
/// The user cannot change the password.
///</summary>
/// <remarks>
/// Note: You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute.
/// For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
// </remarks>
PASSWD_CANT_CHANGE = 0x00000040,
/// <summary>
/// The user can send an encrypted password.
///</summary>
ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x00000080,
/// <summary>
/// This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not
/// to any domain that trusts this domain. Also known as a local user account.
///</summary>
TEMP_DUPLICATE_ACCOUNT = 0x00000100,
/// <summary>
/// This is a default account type that represents a typical user.
///</summary>
NORMAL_ACCOUNT = 0x00000200,
/// <summary>
/// This is a permit to trust account for a system domain that trusts other domains.
///</summary>
INTERDOMAIN_TRUST_ACCOUNT = 0x00000800,
/// <summary>
/// This is a computer account for a computer that is a member of this domain.
///</summary>
WORKSTATION_TRUST_ACCOUNT = 0x00001000,
/// <summary>
/// This is a computer account for a system backup domain controller that is a member of this domain.
///</summary>
SERVER_TRUST_ACCOUNT = 0x00002000,
/// <summary>
/// Not used.
///</summary>
Unused1 = 0x00004000,
/// <summary>
/// Not used.
///</summary>
Unused2 = 0x00008000,
/// <summary>
/// The password for this account will never expire.
///</summary>
DONT_EXPIRE_PASSWD = 0x00010000,
/// <summary>
/// This is an MNS logon account.
///</summary>
MNS_LOGON_ACCOUNT = 0x00020000,
/// <summary>
/// The user must log on using a smart card.
///</summary>
SMARTCARD_REQUIRED = 0x00040000,
/// <summary>
/// The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service
/// can impersonate a client requesting the service.
///</summary>
TRUSTED_FOR_DELEGATION = 0x00080000,
/// <summary>
/// The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.
///</summary>
NOT_DELEGATED = 0x00100000,
/// <summary>
/// Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
///</summary>
USE_DES_KEY_ONLY = 0x00200000,
/// <summary>
/// This account does not require Kerberos pre-authentication for logon.
///</summary>
DONT_REQUIRE_PREAUTH = 0x00400000,
/// <summary>
/// The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.
///</summary>
PASSWORD_EXPIRED = 0x00800000,
/// <summary>
/// The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly
/// controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to
/// other remote servers on the network.
///</summary>
TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x01000000,
/// <summary>
///
/// </summary>
PARTIAL_SECRETS_ACCOUNT = 0x04000000,
/// <summary>
///
/// </summary>
USE_AES_KEYS = 0x08000000
}
它是一个位图。 单词中的每个位都是 ON 或 OFF(0 或 1)。它不是一个真正的数字,它更像是一排开关,每个开关都打开或关闭。 操作系统在内部使用它们,因为它们可以通过在逻辑上将它们与位掩码进行比较来非常快速地操作它们。
属性的 LDIF 表示可以将结果显示为十进制数(相当于二进制喃喃自语,如果它是一个数字,则由掩码表示 - 它不是真的! 而且它很容易解码,因为基本上它是通过将 2 的一些幂加在一起来完成的。
例如:
512 = normal account
514 = 512 + 2 = normal account, disabled
546 = 512 + 32 + 2 = normal account, disabled, no password required
2080 = 2048 + 32 = Interdomain trust, no password required
66048 = 65536 + 512 = normal account. password never expires
66050 = 65536 + 512 + 2 = normal account. password never expires, disabled
66080 = 65536 + 512 + 32 = normal account. password never expires, no password required
- 544 = 十六进制0x220
- 546 = 十六进制0x222
根据此处的列表,这意味着:
0x200 = normal account
0x020 = passwd_notreqd = password not required
0x002 = account disabled
所以
- 值 544(十进制)
0x220
十六进制,表示:普通帐户,不需要密码 - 值 546(十进制)
0x222
十六进制,表示:普通帐户、禁用、不需要密码
用于
解码Active Directory userAccountControl的Python函数。
- 定义
具有所有已定义组合的字典。(参考资料Microsoft)
uac_decode_dict = {"0x0001": "SCRIPT", "0x0002": "ACCOUNTDISABLE", "0x0008": "HOMEDIR_REQUIRED", "0x0010": "LOCKOUT", "0x0020": "PASSWD_NOTREQD", "0x0040": "PASSWD_CANT_CHANGE", "0x0080": "ENCRYPTED_TEXT_PWD_ALLOWED", "0x0100": "TEMP_DUPLICATE_ACCOUNT", "0x0200": "NORMAL_ACCOUNT", "0x0800": "INTERDOMAIN_TRUST_ACCOUNT", "0x1000": "WORKSTATION_TRUST_ACCOUNT", "0x2000": "SERVER_TRUST_ACCOUNT", "0x10000": "DONT_EXPIRE_PASSWORD", "0x20000": "MNS_LOGON_ACCOUNT", "0x40000": "SMARTCARD_REQUIRED", "0x80000": "TRUSTED_FOR_DELEGATION", "0x100000": "NOT_DELEGATED", "0x200000": "USE_DES_KEY_ONLY", "0x400000": "DONT_REQ_PREAUTH", "0x800000": "PASSWORD_EXPIRED", "0x1000000": "TRUSTED_TO_AUTH_FOR_DELEGATION", "0x04000000": "PARTIAL_SECRETS_ACCOUNT"}
定义一个函数来解码 UAC 值
def decode_uac(_uac): # # Decode the userAccountControl value. # global uac_decode_dict _translatedUAC = "" _hex_uac = hex(_uac) _hu_work = _hex_uac[2:] _x = 0 for _hu in _hu_work[::-1]: _x += 1 _hu_tmp = "" if _hu != "0": _hu_tmp = _hu.ljust(_x, "0") if len(_hu_tmp) <= 3: _hu_tmp = "".ljust(4 - _x, "0") + _hu_tmp _hu_key = r"0x" + _hu_tmp if _hu_key in uac_decode_dict.keys(): if _translatedUAC == "": _translatedUAC += uac_decode_dict[_hu_key] else: _translatedUAC += " - " + uac_decode_dict[_hu_key] else: print("Invalid userAccountControl key: " + str(_hu_key) + ". Values dec: " + str(_uac) + " hex: " + _hex_uac) _translatedUAC += " - Error " return _translatedUAC
调用将用户帐户控制作为整数传递的函数
result = decode_uac(int(_userAccountControl))