Property Name

Description

Typical setting

Remarks

Active Directory Root

If set to "Yes", a binding will be established to the root of the Active directory for the currently logged on user or service. If set to "Yes", you need to set the LDAP path property to "No".

LDAP path

The full LDAP name of the organizational unit, container or domain that must be used for the search (e.g. LDAP://OU=Helpdesk,DC=t4edoc,DC=com

If you only want to obtain a list of user objects in a specific OU, then set the property Active Directory root to "No".

Include all users

Includes all user accounts in the search. When set to "Yes", the properties "Include locked out accounts" and "Include disabled accounts" are ignored.

Include locked out accounts

If set to "Yes", it will include user accounts that are locked out

Include disabled accounts

If set to "Yes", it will include user accounts that are currently disabled

User table

Output is stored in %UsersTable%

Column

Description

Name

User name

Description

Description to display for an object

Locked out

"Yes" or "No"

Locked out period [hh:mm:ss]

Specifies the length of time a user is locked out after exceeding the maximum number of invalid password attempts.

Disabled

"Yes" or "No"

Password expired

If "Yes", the password has expired. If "No", the password has not expired.

Password expires

The value is either "Expired" for those accounts for which Password expired is "Yes" or the number of days before the password will expire.

SAM account name

The logon name used to support clients and servers running older versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager.

Object distinguished name

Same as the Distinguished Name for an object.

User account control flags

Flags that control the behaviour of the user account (e.g. user cannot change password, user is currently locked out, no password required, password never expires, user account is disabled, etc.). The values are given in decimals. If these are converted to hexidecimal values, you can verify which flags are set for the user. Some examples:

514 - Disabled users

512 - Default account type that represents a typical user

See the table under UserAccountControl flags for a full overview.

User lockout time

The date and time (UTC) that this account was locked out. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the account is not currently locked out.

Password last set time

The date and time that the password for this account was last changed. The resulting value represents the number of 100 nanosecond intervals since 12:00 AM January 1, 1601. The date represented by this number is in Coordinated Universal Time (UTC). It must be adjusted by the time zone bias in the local machine registry to convert to local time.

Hexadecimal value

Description

0x00000001

The logon script is executed.

0x00000002

The user account is disabled.

0x00000008

The home directory is required.

0x00000010

The account is currently locked out.

0x00000020

No password is required.

0x00000040

The user cannot change the password.

0x00000080

The user can send an encrypted password.

0x00000200

This is a default account type that represents a typical user.

0x00000800

This is a permit to trust account for a system domain that trusts other domains.

0x00001000

This is a computer account for a computer that is a member of this domain.

0x00002000

This is a computer account for a system backup domain controller that is a member of this domain.

0x00010000

The password for this account will never expire.

0x00020000

This is an MNS logon account.

0x00040000

The user must log on using a smart card.

0x00080000

The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service.

0x00100000

The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.

0x00200000

Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.

0x00400000

This account does not require Kerberos pre-authentication for logon.

0x00800000

The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.

0x01000000

The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network.