The term “User Account Control” can refer to two mechanisms that are well known to Windows users. The first was introduced with Windows Vista and allows programs to be run with restricted rights by default.
The second is an attribute of accounts (users or computers) in Active Directory. In this article, we will discuss this mechanism.
The « User account control » attribute is an integer number, between 2 and 134 167 290. The decimal (base 10) representations of the possible values have no meaning. Instead, it is better to consider the binary (base 2) representation. These values can be written as an unsigned 32-bit (4-byte) number. Each digit of this number is a “flag” for the different features of the UAC :
- If its value is 1 then the associated property is activated for the account to which the UAC is assigned.
- If it is disabled, the value of the bit is 0.
bit 32 0000 0000 0000 0000 0000 0000 0000 0000 bit 1
The following table describes the UAC features, their associated digit and the behavior when it is activated .
|Bit number||Decimal value||Property||Description|
|1||1||SCRIPT||The logon script will be run.|
|2||2||ACCOUNTDISABLE||The user account is disabled.|
|3||4||Reserved||Must be 0.|
|4||8||HOMEDIR_REQUIRED||The home folder is required.|
|5||16||LOCKOUT||The account is locked.|
|6||32||PASSWD_NOTREQD||No password is required.|
|7||64||PASSWD_CANT_CHANGE||The user cannot change the password.|
|8||128||ENCRYPTED_TEXT_PWD_ALLOWED||The user can send an encrypted password.|
|9||256||TEMP_DUPLICATE_ACCOUNT||It is an account for users whose primary account is in another domain.|
|10||512||NORMAL_ACCOUNT||It is a default account type.|
|11||1 024||Reserved||Must be 0.|
|12||2 048||INTERDOMAIN_TRUST_ACCOUNT||It is a permit to trust an account for a system domain that trusts other domains.|
|13||4 096||WORKSTATION_TRUST_ACCOUNT||It is a computer account for computer that is running Windows NT 4.0 Workstation, Windows NT 4.0 Server, Windows 2000 Professional, Windows 2000 Server.|
|14||8 192||SERVER_TRUST_ACCOUNT||It is a computer account for a domain controller that is a member of this domain.|
|15||16 384||Reserved||Must be 0.|
|16||32 768||Reserved||Must be 0.|
|17||65 536||DONT_EXPIRE_PASSWORD||The password should never expire.|
|18||131 072||MNS_LOGON_ACCOUNT||It is an MNS logon account.|
|19||262 144||SMARTCARD_REQUIRED||The user must log on with a smart card.|
|20||524 288||TRUSTED_FOR_DELEGATION||The service account under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service|
|21||1 048 576||NOT_DELEGATED||The security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.|
|22||2 097 152||USE_DES_KEY_ONLY||Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.|
|23||4 194 304||DONT_REQ_PREAUTH||This account does not require Kerberos pre-authentication for logging on.|
|24||8 388 608||PASSWORD_EXPIRED||The user’s password has expired.|
|25||16 777 216||TRUSTED_TO_AUTH_FOR_DELEGATION||The account is enabled for delegation.|
|26||33 554 432||Reserved||Must be 0.|
|27||67 108 864||PARTIAL_SECRETS_ACCOUNT||The account is a read-only domain controller (RODC).|
|28||134 217 728||Reserved||Must be 0.|
|29||268 435 456||Reserved||Must be 0.|
|30||536 870 912||Reserved||Must be 0.|
|31||1 073 741 824||Reserved||Must be 0.|
|32||2 147 483 648||Reserved||Must be 0.|
Consider the UAC value : 514
The UAC tells us that this is a normal account, in a disabled state.
Some common values :
- User account : 512 (NORMAL_ACCOUNT)
- Domain controller : 532 480 (TRUSTED_FOR_DELEGATION + SERVER_TRUST_ACCOUNT)
- Server : 4 096 (WORKSTATION_TRUST_ACCOUNT)
Now, that we have explained the mechanics of User Account Control values, let us talk about some best practices .
- A domain controller must contain SERVER_TRUST_ACCOUNT and TRUSTED_FOR_DELEGATION.
- A read-only domain controller must contain PARTIAL_SECRETS_ACCOUNT, TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION and WORKSTATION_TRUST_ACCOUNT.
- Accounts must enforce Kerberos pre-authentication and therefore not contain DONT_REQUIRE_PREAUTH.
- Accounts should not have passwords without expiration dates so the DON’T_EXPIRE attribute should not be activated.
- No non-domain controller account should contain TRUSTED_FOR_DELEGATION if authentication delegation is not constrained.
- The USE_DES_KEY_ONLY attribute is obsolete and should not be activated.
To conclude, the meaning of an account’s UAC attribute is more important than its actual value. That is why IAG solutions prefer to translate it into several “enabled/disabled” fields like “Password never expires: Enabled”. The UAC is a source of raw information similar to other systems (e.g. “REVOKED” flag for RACF systems) but finds its full strength when broken down and translated to make identity and access governance simple and readable for end users.
 Documentation Microsoft UAC attribute — https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties (26/03/2021)
 Control points Active Directory ANSSI — https://www.cert.ssi.gouv.fr/uploads/guide-ad.html (26/03/2021)