Security Properties

Platform SDK: Active Directory, ADSI, and Directory Services

Security Properties

In addition to naming properties for user objects (objectGUID, objectSid, cn, distinguishedName, and so on), there are other security properties that are used for logon, network access, and access control. These properties are used by the Windows 2000 security system. These properties can be viewed and managed by the Active Directory User and Computers snap-in.

accountExpires

The accountExpires property specifies when the account will expire. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1970. A value of TIMEQ_FOREVER indicates that the account never expires.

This value is defined in LMACCESS.H.

altSecurityIdentities

The altSecurityIdentities property is a multi-valued property that contains mappings for X.509 certificates or external Kerberos user accounts to this user for the purpose of authentication. Various security packages (including Public Key authentication package and Kerberos) use this information to authenticate users when they present the alternative form of identification (such as certificate, Unix Kerberos ticket, and so on.) and build a Windows 2000 token based on the corresponding user account such that they can access system resources.

For X.509 certificates, the values should be the Issuer and Subject names in 509v3 certificates (issued by an external public Certificate Authority) that map to the user account used to find an account for authentication. The SSL (schannel) package uses the following syntax: X509:<somecertinfotype>somecertinfo. For example, the following value specifies the issuer DN "<I>" with the DN C=US,O=InternetCA,CN=APublicCertificateAuthority and the subject DN "<S>" with the DN C=US,O=Microsoft,OU=FOO,CN=John Smith:

X509:<I>C=US,O=InternetCA,CN=APublicCertificateAuthority<S>C=US,O=Microsoft,OU=FOO,CN=John Smith

Note that <I> or <I> and <S> are supported. Having only <S> is not supported. Applications should not modify the values within <I> or <S> because partial DN matching is not supported.

For external Kerberos accounts, the values should be the Kerberos account name. The Kerberos package uses the following syntax: Kerberos:MITaccountname. For example, the following is the value for an account at Microsoft.com:

Kerberos:John.Doe@Microsoft.com

badPasswordTime (Non-replicated)

The badPasswordTime property specifies the last time the user tried to log onto the account using an incorrect password. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1970. This property is maintained separately on each domain controller in the domain. A value of zero means that the last bad password time is unknown. To get an accurate value for the user's last bad password time in the domain, each domain controller in the domain must be queried and the largest value should be used.

badPwdCount (Non-replicated)

The badPwdCount property specifies the number of times the user tried to log on to the account using an incorrect password. This property is maintained separately on each domain controller in the domain. A value of 0 indicates that the value is unknown. To get an accurate value for the user's total bad password attempts in the domain, each domain controller in the domain must be queried and the sum of the values should be used.

codePage

The codePage property specifies the code page for the user's language of choice. This value is not used by Windows 2000.

countryCode

The countryCode property specifies the country code for the user's language of choice. This value is not used by Windows 2000.

homeDirectory

The homeDirectory property specifies the path of the home directory for the user. The string can be null.

If homeDrive is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string.

If homeDrive is not set, homeDirectory should be a local path (such as C:\mylocaldir).

homeDrive

The homeDrive property specifies the drive letter to which to map the UNC path specified by homeDirectory. The drive letter must be specified in the following form:

driveletter:

where driveletter is the letter of the drive to map. For example:

If this property is not set, the homeDirectory should be a local path (such as C:\mylocaldir).

lastLogoff (Non-replicated)

The lastLogoff property specifies when the last logoff occurred. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1970. This property is maintained separately on each domain controller in the domain. A value of zero means that the last logoff time is unknown. To get an accurate value for the user's last logoff in the domain, each domain controller in the domain must be queried and the largest value should be used.

lastLogon (Non-replicated)

The lastLogon property specifies when the last logon occurred. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1970. This property is maintained separately on each domain controller in the domain. A value of zero means that the last logon time is unknown. To get an accurate value for the user's last logon in the domain, each domain controller in the domain must be queried and the largest value should be used.

lmPwdHistory

The lmPwdHistory property is the password history of the user in LAN Manager (LM) one-way format (OWF). The LM OWF is used for compatibility with LAN Manager 2.x clients, Windows 95, and Windows 98. This property is used only by the operating system. Note that you cannot derive the clear password back from the OWF form of the password.

logonCount (Non-replicated)

The logonCount property counts the number of successful times the user tried to log on to this account. This property is maintained separately on each domain controller in the domain. A value of 0 indicates that the value is unknown. To get an accurate value for the user's total number of successful logon attempts in the domain, each domain controller in the domain must be queried and the sum of the values should be used.

mail (E-mail-Addresses)

The mail property is a single-valued property that contains the SMTP address for the user (such as john@Microsoft.com).

memberOf

The memberOf property is a multi-valued property that contains groups of which the user is a direct member, depending on the domain controller (DC) from which this property is retrieved:

At a DC for the domain containing the user, memberOf for the user is complete with respect to membership for groups in that domain; however, memberOf does not contain the user's membership in domain local and global groups in other domains.
At a GC server, memberOf for the user is complete with respect to all universal group memberships.

If both conditions are true about the DC, both sets of information are contained in memberOf.

Note that this property lists the groups that contain the user in their member property—it does not contain the recursive list of nested predecessors. For example, if user O is a member of group C and group B and group B were nested in group A, the membersOf property of user O would list group C and group B but not group A.

This property is not stored—it is a computed back-link attribute.

ntPwdHistory

The ntPwdHistory property is the password history of the user in Windows NT (NT) one-way format (OWF). Windows® 2000 uses the NT OWF. This property is used only by the operating system. Note that you cannot derive the clear password back from the OWF form of the password.

otherMailbox

The otherMailbox property is a multi-valued property containing other additional mail addresses in a form such as CCMAIL: JohnDoe.

PasswordExpirationDate

The password expiration date is not a property on the user object. It is a calculated value based on the sum of pwdLastSet for the user and maxPwdAge of the user's domain. To get the password expiration date, call the IADsUser::get_PasswordExpirationDate method. You cannot modify this property for a user; instead, call IADsDomain::put_MaxPasswordAge method to change the setting for the domain.

primaryGroupID

The primaryGroupID property is a single-valued property containing the relative identifier (RID) for the primary group of the user. By default, this is the RID for the Domain Users group. This property is not used in the context of the Active Directory.

profilePath

The profilePath property specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path.

pwdLastSet

The pwdLastSet property specifies when the user last set the password. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1970.

The system uses the value of this property and the maxPwdAge property of the domain containing the user object to calculate the password expiration date (sum of pwdLastSet for the user and maxPwdAge of the user's domain).

This property controls whether the user must change the password the next time the user logs on. If pwdLastSet is zero (the default), the user must change the password at next logon. The value -1 means the user does not need to change the password at next logon. The system sets this value to -1 after user has set the password.

sAMAccountType

The sAMAccountType property specifies an integer that represents the account type. This is set by the operating system when the object is created.

scriptPath

The scriptPath property specifies the path of the user's logon script, .CMD, .EXE, or .BAT file. The string can be null.

unicodePwd

The unicodePwd property is the password for the user.

For setting the password of the user, you should use the IADsUser::ChangePassword method (if your script or application is allowing the user to change his/her own password) or IADsUser::SetPassword method (if your script or application is allowing an administrator to reset a password).

The password of the user in Windows NT (NT) one-way format (OWF). Windows® 2000 uses the NT OWF. This property is used only by operating system. Note that you cannot derive the clear password back from the OWF form of the password.

userAccountControl

The userAccountControl property specifies flags that control password, lockout, disable/enable, script, and home directory behavior for the user. This property also contains a flag that indicates the account type of the object. The user object usually has the UF_NORMAL_ACCOUNT set.

The flags are defined in LMACCESS.H.

Value Meaning

UF_SCRIPT The logon script executed. This value must be set for LAN Manager 2.0 or Windows NT.

UF_ACCOUNTDISABLE The user's account is disabled.

UF_HOMEDIR_REQUIRED The home directory is required. This value is ignored in Windows NT and Windows 2000.

UF_PASSWD_NOTREQD No password is required.

UF_PASSWD_CANT_CHANGE The user cannot change the password.

UF_LOCKOUT The account is currently locked out. This value can be cleared to unlock a previously locked account. This value cannot be used to lock a previously locked account.

UF_DONT_EXPIRE_PASSWD Represents the password, which should never expire on the account.

Value	Meaning
UF_SCRIPT	The logon script executed. This value must be set for LAN Manager 2.0 or Windows NT.
UF_ACCOUNTDISABLE	The user's account is disabled.
UF_HOMEDIR_REQUIRED	The home directory is required. This value is ignored in Windows NT and Windows 2000.
UF_PASSWD_NOTREQD	No password is required.
UF_PASSWD_CANT_CHANGE	The user cannot change the password.
UF_LOCKOUT	The account is currently locked out. This value can be cleared to unlock a previously locked account. This value cannot be used to lock a previously locked account.
UF_DONT_EXPIRE_PASSWD	Represents the password, which should never expire on the account.

The following values describe the account type. Only one value can be set. You cannot change the account type.

Value Meaning

UF_NORMAL_ACCOUNT This is a default account type that represents a typical user

UF_TEMP_DUPLICATE_ACCOUNT This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. The User Manager refers to this account type as a local user account.

UF_WORKSTATION_TRUST_ACCOUNT This is a computer account for a Windows NT Workstation/Windows 2000 Professional or Windows NT Server/Windows 2000 Server that is a member of this domain.

UF_SERVER_TRUST_ACCOUNT This is a computer account for a Windows NT Backup Domain Controller that is a member of this domain.

UF_INTERDOMAIN_TRUST_ACCOUNT This is a permit to trust account for a Windows NT domain that trusts other domains.

userCertificate (X509-Cert)

Value	Meaning
UF_NORMAL_ACCOUNT	This is a default account type that represents a typical user
UF_TEMP_DUPLICATE_ACCOUNT	This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. The User Manager refers to this account type as a local user account.
UF_WORKSTATION_TRUST_ACCOUNT	This is a computer account for a Windows NT Workstation/Windows 2000 Professional or Windows NT Server/Windows 2000 Server that is a member of this domain.
UF_SERVER_TRUST_ACCOUNT	This is a computer account for a Windows NT Backup Domain Controller that is a member of this domain.
UF_INTERDOMAIN_TRUST_ACCOUNT	This is a permit to trust account for a Windows NT domain that trusts other domains.

The userCertificate property is a multi-valued property that contains the DER-encoded X509v3 certificates issued to the user. Note that this property contains the public key certificates issued to this user by Microsoft® Certificate Service.

userSharedFolder

The userSharedFolder property specifies a UNC path to the user's shared documents folder. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string.

userWorkstations

The userWorkstations property is a single-valued property containing the NetBIOS names of the computers running Windows NT Workstation/Windows 2000 Professional from which the user can log on. Each NetBIOS name is separated by a comma. The NetBIOS name of a computer is the sAMAccountName property of a computer object.

If there are no values set, it indicates that there is no restriction. To disable logons from all computers running Windows NT Workstation/Windows 2000 Professional to this account, set the UF_ACCOUNTDISABLE value in userAccountControl property.

This value is defined in LMACCESS.H.

maxStorage

The maxStorage property specifies the maximum amount of disk space the user can use. Use the value specified in USER_MAXSTORAGE_UNLIMITED to use all available disk space.

This value is defined in LMACCESS.H.