- accountExpires
- The accountExpires property specifies when an account
expires. This value is stored as a large integer that represents
the number of seconds elapsed since 00:00:00, January 1, 1970
(UTC). A value of TIMEQ_FOREVER indicates that an account never
expires.
This value is defined in Lmaccess.h.
- altSecurityIdentities
- The altSecurityIdentities property is a multi-valued
property that contains mappings for X.509 certificates or external
Kerberos user accounts to this user for the purpose of
authentication. Various security packages, including Public Key
authentication package and Kerberos, use this data to authenticate
users when they present the alternative form of identification such
as certificate, UNIX Kerberos ticket, and so on. Build a Windows
2000 token based on the corresponding user account such that they
can access system resources.
For X.509 certificates, the values should be the Issuer and
Subject names in 509v3 certificates, issued by an external public
Certificate Authority, that map to the user account used to find an
account for authentication. The SSL (schannel) package uses the
following syntax: X509:<somecertinfotype>somecertinfo. For
example, the following value specifies the issuer DN "<I>"
with the DN C=US,O=InternetCA,CN=APublicCertificateAuthority and
the subject DN "<S>" with the DN
C=US,O=Fabrikam,OU=Sales,CN=Jeff Smith.
X509:<I>C=US,O=InternetCA,CN=APublicCertificateAuthority<S>C=US,O=Fabrikam,OU=Sales,CN=Jeff Smith
Be aware that <I> or <I> and <S> are
supported. Having only <S> is not supported. Applications
should not modify the values within <I> or <S> because
partial DN matching is not supported.
For external Kerberos accounts, the values should be the
Kerberos account name. The Kerberos package uses the following
syntax: Kerberos:MITaccountname. For example, the following is the
value for an account at Fabrikam.com:
Kerberos:Jeff.Smith@Fabrikam.com
- badPasswordTime
- Non-replicated. The badPasswordTime property specifies
the last time the user attempted to log on to the account using an
incorrect password. This value is stored as a large integer that
represents the number of seconds elapsed since 00:00:00, January 1,
1970 (UTC). This property is maintained separately on each domain
controller in the domain. A value of zero means that the last bad
password time is unknown. To get an accurate value for the user's
last bad password time in the domain, each domain controller in the
domain must be queried and the largest value should be used.
- badPwdCount
- Non-replicated. The badPwdCount property specifies the
number of times the user attempted to log on to the account using
an incorrect password. This property is maintained separately on
each domain controller in the domain. A value of 0 indicates that
the value is unknown. To get an accurate value for the user's total
bad password attempts in the domain, each domain controller in the
domain must be queried and the sum of the values should be
used.
- codePage
- The codePage property specifies the code page for the
user's chosen language. This value is not used by Windows
2000.
- countryCode
- The countryCode property specifies the country/region
code for the user's language. This value is not used by Windows
2000.
- homeDirectory
- The homeDirectory property specifies the path of the
home directory for the user. The string can be null.
If homeDrive is set and specifies a drive letter,
homeDirectory should be a UNC path. The path must be a
network UNC path of the form \\server\share\directory. This value
can be a null string.
If homeDrive is not set, homeDirectory should be a
local path, for example, C:\mylocaldir.
- homeDrive
- The homeDrive property specifies the drive letter to
which to map the UNC path specified by homeDirectory. The
drive letter must be specified in the following form:
driveletter:
where driveletter is the letter of the drive to map. For
example:
Z:
If this property is not set, the homeDirectory should be
a local path, for example, C:\mylocaldir.
- lastLogoff
- Non-replicated. The lastLogoff property specifies when
the last logoff occurred. This value is stored as a large integer
that represents the number of 100-nanosecond intervals since
January 1, 1601 (UTC). The high part of this large integer
corresponds to the dwHighDateTime member of the
FILETIME structure and the low part corresponds to the
dwLowDateTime member of the FILETIME structure. This
property is maintained separately on each domain controller in the
domain. A value of zero means that the last logoff time is unknown.
To get an accurate value for the user's last logoff in the domain,
each domain controller in the domain must be queried and the
largest value should be used.
- lastLogon
- Non-replicated. The lastLogon property specifies when
the last logon occurred. This value is stored as a large integer
that represents the number of 100-nanosecond intervals since
January 1, 1601 (UTC). The high part of this large integer
corresponds to the dwHighDateTime member of the
FILETIME structure and the low part corresponds to the
dwLowDateTime member of the FILETIME structure. This
property is maintained separately on each domain controller in the
domain. A value of zero means that the last logon time is unknown.
To get an accurate value for the user's last logon in the domain,
each domain controller in the domain must be queried and the
largest value should be used.
- lmPwdHistory
- The lmPwdHistory property is the password history of the
user in LAN Manager (LM) one-way format (OWF). The LM OWF is used
for compatibility with LAN Manager 2.x clients, Windows 95,
and Windows 98. This property is used only by the operating
system. Be aware that you cannot derive the plaintext password from
the OWF form of the password.
- logonCount
- Non-replicated. The logonCount property counts the
number of successful times that the user tried to log on to this
account. This property is maintained on each domain controller in
the domain. A value of 0 indicates that the value is unknown. To
get an accurate value for the user's total number of successful
logon attempts in the domain, each domain controller in the domain
must be queried and the sum of the values should be used.
- mail
- The mail property is a single-valued property that
contains the SMTP address for the user, for example,
jeff@Fabrikam.com.
- maxStorage
- The maxStorage property specifies the maximum amount of
hard-disk drive space that the user can use. Use the
USER_MAXSTORAGE_UNLIMITED value to use all available disk space.
This value is defined in Lmaccess.h.
- memberOf
- The memberOf property is a multi-valued property that
contains groups of which the user is a direct member, depending on
the domain controller (DC) from which this property is retrieved:
- At a DC for the domain that containins the user,
memberOf for the user is complete with respect to membership
for groups in that domain; however, memberOf does not
contain the user's membership in domain local and global groups in
other domains.
- At a GC server, memberOf for the user is complete with
respect to all universal group memberships.
If both conditions are true for the DC, both sets of data are
contained in memberOf.
Be aware that this property lists the groups that contain the
user in their member property—it does not contain the recursive
list of nested predecessors. For example, if user O is a member of
group C and group B and group B were nested in group A, the
memberOf property of user O would list group C and group B,
but not group A.
This property is not stored—it is a computed back-link
attribute.
- ntPwdHistory
- The ntPwdHistory property is the password history of the
user in Windows NT (NT) one-way format (OWF). Windows 2000
uses the NT OWF. This property is used only by the operating
system. Be aware that you cannot derive the plaintext password back
from the OWF form of the password.
- otherMailbox
- The otherMailbox property is a multi-valued property
that containins other additional mail addresses in a form, for
example, CCMAIL: JeffSmith.
- PasswordExpirationDate
- The password expiration date is not a property on the user
object. It is a calculated value based on the sum of
pwdLastSet for the user and maxPwdAge of the user's
domain. To get the password expiration date, call the IADsUser::get_PasswordExpirationDate
method. You cannot modify this property for a user; instead, call
IADsDomain::put_MaxPasswordAge
method to change the setting for the domain.
- primaryGroupID
- The primaryGroupID property is a single-valued property
that contains the primaryGroupToken of the group that is the
primary group of the object. The primary group of the object is not
included in the memberOf property. For example, by default,
the primary group of a user object is the primaryGroupToken
of the Domain Users group, but the Domain Users group is not part
of the user object's memberOf property.
- profilePath
- The profilePath property specifies a path to the user's
profile. This value can be a null string, a local absolute path, or
a UNC path.
- pwdLastSet
- The pwdLastSet property specifies when the user last set
the password. This value is stored as a large integer that
represents the number of seconds elapsed since 00:00:00, January 1,
1970 (UTC).
The system uses the value of this property and the
maxPwdAge property of the domain that contains the user
object to calculate the password expiration date. That is, the sum
of pwdLastSet for the user and maxPwdAge of the
user's domain.
This property controls whether the user must change the password
when the user logs on next. If pwdLastSet is zero, the
default, the user must change the password at next logon. The value
-1 indicates that the user is not required to change the password
at next logon. The system sets this value to -1 after user has set
the password.
- sAMAccountType
- The sAMAccountType property specifies an integer that
represents the account type. This is set by the operating system
when the object is created.
- scriptPath
- The scriptPath property specifies the path of the user's
logon script, .cmd, .exe, or .bat file. The string can be
null.
- unicodePwd
- The unicodePwd property is the user password.
To set the user password, use the IADsUser::ChangePassword
method, if your script or application enables the user to change
his/her own password, or IADsUser::SetPassword
method, if your script or application is allowing an administrator
to reset a password.
The password of the user in Windows NT (NT) one-way format
(OWF). Windows 2000 uses the NT OWF. This property is used
only by operating system. Be aware that you cannot derive the
plaintext password back from the OWF form of the password.
- userAccountControl
- The userAccountControl property specifies flags that
control password, lockout, disable/enable, script, and home
directory behavior for the user. This property also contains a flag
that indicates the account type of the object. The user object
usually has the UF_NORMAL_ACCOUNT set.
The following flags are defined in Lmaccess.h.
| Flag |
Description |
| UF_SCRIPT |
The logon script executed. This value must be set for LAN
Manager 2.0 or Windows NT. |
| UF_ACCOUNTDISABLE |
The user account is disabled. |
| UF_HOMEDIR_REQUIRED |
The home directory is required. This value is ignored in
Windows NT and Windows 2000. |
| UF_PASSWD_NOTREQD |
No password is required. |
| UF_PASSWD_CANT_CHANGE |
The user cannot change the password. |
| UF_LOCKOUT |
The account is currently locked out. This value can be cleared
to unlock a previously locked account. This value cannot be used to
lock a previously locked account. |
| UF_DONT_EXPIRE_PASSWD |
Represents the password, which should never expire on the
account. |
The following flags describe the account type. Only one value
can be set. You cannot change the account type.
| Flag |
Description |
| UF_NORMAL_ACCOUNT |
This is a default account type that represents a typical
user. |
| UF_TEMP_DUPLICATE_ACCOUNT |
This is an account for users whose primary account is in
another domain. This account provides user access to this domain,
but not to any domain that trusts this domain. The User Manager
refers to this account type as a local user account. |
| UF_WORKSTATION_TRUST_ACCOUNT |
This is a computer account for a Windows NT Workstation/Windows
2000 Professional or Windows NT Server/Windows 2000 Server that is
a member of this domain. |
| UF_SERVER_TRUST_ACCOUNT |
This is a computer account for a Windows NT Backup Domain
Controller that is a member of this domain. |
| UF_INTERDOMAIN_TRUST_ACCOUNT |
This is a permit to trust account for a Windows NT
domain that trusts other domains. |
- userCertificate (X509-Cert)
- The userCertificate property is a multi-valued property
that contains the DER-encoded X509v3 certificates issued to the
user. Be aware that this property contains the public key
certificates issued to this user by Microsoft Certificate
Service.
- userSharedFolder
- The userSharedFolder property specifies a UNC path to
the user's shared documents folder. The path must be a network UNC
path of the form \\server\share\directory. This value can be a null
string.
- userWorkstations
- The userWorkstations property is a single-valued
property that contains the NetBIOS names of the computers running
Windows NT Workstation/Windows 2000 Professional from which the
user can log on to. Each NetBIOS name is separated by a comma. The
NetBIOS name of a computer is the sAMAccountName property of
a computer object.
If no values are set, this indicates that there is no
restriction. To disable logons from all computers running Windows
NT Workstation/Windows 2000 Professional to this account, set the
UF_ACCOUNTDISABLE value in userAccountControl property.
This value is defined in Lmaccess.h.