Skip to main content


Showing posts from September, 2015

Deciphering userAccountControl

There’s been a lot of good information on userAccountControl (UAC) over the years. I was trying to explain a coworker about how it works which got me really thinking about it. I thought I’d try to share my findings with you in case you have a similar interest in learning it.   WHAT IS USER ACCOUNT CONTROL? Let me first describe UAC. The simplest definition, in my opinion, would be to say that it’s a composite status of an object. (Let’s talk about user objects specifically.) A user object can be a variety of things -- disabled, enabled, locked, password expired, etc -- which when the integer value that’s stored in UAC is broken down, represents them. That’s why the account options are multi-select, I guess. :-) Note that UAC is a 32-bit value. Anyway, this is the LDAP attribute where Active Directory stores the various states of your user account. How many different states can a user account be in, you might be wondering? It’s documented in quite a few places, actually (and now he