How does the userAccountControl property work in AD? (C#)

Question

How does the userAccountControl property work in AD?

Let's say I want to create a new user account and set it to enabled (it's disable by default), and also set the 'password never expires' option to true. I can do something like this and it works:

//newUser is a DirectoryEntry object
newUser.Properties["userAccountControl"].Value = 0x200; // normal account
newUser.Properties["userAccountControl"].Value = 0x10000; //password never expires

Normally, I would think the second line would wipe the first one out, but it doesn't. How does that work? Can I combine them in one line? How would I then take away that value if I wanted to have their password expire? My knowledge with AD and LDAP is minimal, so any input would be helpful.

Thanks!

Answer 1

(Almost) Everything In Active Directory via C#

How to set a flag:

int val = (int)newUser.Properties["userAccountControl"].Value; 
newUser.Properties["userAccountControl"].Value = val | 0x10000; //password never expires
newUser.CommitChanges();

Answer 2

You would combine the flags, so 0x200 + 0x10000, which would be 0x10200. See this article for more information: http://support.microsoft.com/kb/305144.

Answer 3

Actually, setting the second value will indeed wipe out the first - point is though, the first is really a bit "unnecessary".....

And of course you can combine them (and multiple ones, really) into a single value and set it with a single assignment:

const int UF_ACCOUNTDISABLE = 0x0002;
const int UF_PASSWD_NOTREQD = 0x0020;
const int UF_PASSWD_CANT_CHANGE = 0x0040;
const int UF_NORMAL_ACCOUNT = 0x0200;
const int UF_DONT_EXPIRE_PASSWD = 0x10000;
const int UF_SMARTCARD_REQUIRED = 0x40000;
const int UF_PASSWORD_EXPIRED = 0x800000;

int userControlFlags = UF_PASSWD_NOTREQD + UF_NORMAL_ACCOUNT + UF_DONT_EXPIRE_PASSWD;

newUser.Properties["userAccountControl"].Value = userControlFlags;

Marc