- 浏览: 85469 次
- 性别:
- 来自: 苏州
最新评论
-
javazeke:
自己支持一下,,,希望下周有help
求oracle11g和10g 双机热备文档 -
javazeke:
kimmking 写道mr_kairy 写道看你的结构 就是 ...
江湖求方案,类似SSO系统的需求 -
javazeke:
yangdefeng95802 写道LZ的图是什么软件画的?真 ...
江湖求方案,类似SSO系统的需求 -
javazeke:
mr_kairy 写道看你的结构 就是 SOA 解决方案。。 ...
江湖求方案,类似SSO系统的需求 -
javazeke:
threestone1026 写道使用cas了
感谢thre ...
江湖求方案,类似SSO系统的需求
When you open the properties for a user account, click the Account
tab, and then either select or clear the check boxes in the
Account options
dialog box,
numerical values are assigned to
the UserAccountControl
attribute. The value that is assigned
to the attribute tells
Windows which options have been enabled.
To view user
accounts, click
Start
, point to Programs
, point to Administrative
Tools
, and then click Active Directory Users
and
Computers
.
You can view and edit these attributes by using either the
Ldp.exe tool or the Adsiedit.msc snap-in.
The following
table lists
possible flags that you can assign. You cannot set some of the
values on a user
or computer object because these values can be set or reset only by
the
directory service. Note that Ldp.exe shows the values in
hexadecimal.
Adsiedit.msc displays the values in decimal. The flags are
cumulative. To
disable a user's account, set the UserAccountControl
attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2
+ 512).
Note
You can directly edit Active Directory in
both Ldp.exe and
Adsiedit.msc. Only experienced administrators should use these tools
to edit
Active Directory. Both tools are available after you install the
Support tools
from your original Windows installation media.
SCRIPT | 0x0001 | 1 |
ACCOUNTDISABLE | 0x0002 | 2 |
HOMEDIR_REQUIRED | 0x0008 | 8 |
LOCKOUT | 0x0010 | 16 |
PASSWD_NOTREQD | 0x0020 | 32 |
PASSWD_CANT_CHANGE Note You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the "Property flag descriptions" section. |
0x0040 | 64 |
ENCRYPTED_TEXT_PWD_ALLOWED | 0x0080 | 128 |
TEMP_DUPLICATE_ACCOUNT | 0x0100 | 256 |
NORMAL_ACCOUNT | 0x0200 | 512 |
INTERDOMAIN_TRUST_ACCOUNT | 0x0800 | 2048 |
WORKSTATION_TRUST_ACCOUNT | 0x1000 | 4096 |
SERVER_TRUST_ACCOUNT | 0x2000 | 8192 |
DONT_EXPIRE_PASSWORD | 0x10000 | 65536 |
MNS_LOGON_ACCOUNT | 0x20000 | 131072 |
SMARTCARD_REQUIRED | 0x40000 | 262144 |
TRUSTED_FOR_DELEGATION | 0x80000 | 524288 |
NOT_DELEGATED | 0x100000 | 1048576 |
USE_DES_KEY_ONLY | 0x200000 | 2097152 |
DONT_REQ_PREAUTH | 0x400000 | 4194304 |
PASSWORD_EXPIRED | 0x800000 | 8388608 |
TRUSTED_TO_AUTH_FOR_DELEGATION | 0x1000000 | 16777216 |
Note
In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED
have been replaced with a new attribute called
ms-DS-User-Account-Control-Computed. For more information about this
new attribute, visit the following Web site:
Property flag descriptions
<script type="text/javascript"> loadTOCNode(2, 'moreinformation'); </script>
- SCRIPT - The logon script will be run.
- ACCOUNTDISABLE - The user account is disabled.
- HOMEDIR_REQUIRED - The home folder is required.
- PASSWD_NOTREQD - No password is required.
- PASSWD_CANT_CHANGE
- The user cannot change the password. This
is a permission on the user's object. For information about how to
programmatically set this
permission, visit the following Web site:
http://msdn2.microsoft.com/en-us/library/aa746398.aspx (http://msdn2.microsoft.com/en-us/library/aa746398.aspx)
- ENCRYPTED_TEXT_PASSWORD_ALLOWED - The user can send an encrypted password.
- TEMP_DUPLICATE_ACCOUNT - This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account.
- NORMAL_ACCOUNT - This is a default account type that represents a typical user.
- INTERDOMAIN_TRUST_ACCOUNT - This is a permit to trust an account for a system domain that trusts other domains.
- WORKSTATION_TRUST_ACCOUNT - This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.
- SERVER_TRUST_ACCOUNT - This is a computer account for a domain controller that is a member of this domain.
- DONT_EXPIRE_PASSWD - Represents the password, which should never expire on the account.
- MNS_LOGON_ACCOUNT - This is an MNS logon account.
- SMARTCARD_REQUIRED - When this flag is set, it forces the user to log on by using a smart card.
- TRUSTED_FOR_DELEGATION - When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
- NOT_DELEGATED - When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
- USE_DES_KEY_ONLY - (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
- DONT_REQUIRE_PREAUTH - (Windows 2000/Windows Server 2003) This account does not require Kerberos pre-authentication for logging on.
- PASSWORD_EXPIRED - (Windows 2000/Windows Server 2003) The user's password has expired.
- TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts with this option enabled should be tightly controlled. This setting allows a service that runs under the account to assume a client's identity and authenticate as that user to other remote servers on the network.
UserAccountControl values
<script type="text/javascript"> loadTOCNode(2, 'moreinformation'); </script> These are the default UserAccountControl values for the certain objects:
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)
发表评论
文章已被作者锁定,不允许评论。
-
求oracle11g和10g 双机热备文档
2010-12-17 22:13 1520项目来了,,需求下来,,怕赔不起,,决定用热备 可怜的我,, ... -
江湖求方案,类似SSO系统的需求
2010-10-16 10:59 1451现有资料,大Boss交代我来弄,说实话,这东东我也不知道怎么 ... -
js array
2010-07-04 11:18 994zhuan zi http://renxiangzyq.i ... -
Ldap之活动目录之属性
2010-04-22 10:19 1907“常规”标签 姓 Sn 名 Givename ... -
Ldap之活动目录介绍三
2010-04-22 10:12 1202安装第二台域控制器 在安装完第一台域控制器后其域名为 n ... -
Ldap之活动目录介绍二
2010-04-22 10:10 1277运行 Active Directory 安 ... -
Ldap之活动目录介绍一
2010-04-22 09:43 2611最近一直在做java通过Ldap去操作活动目录数据的东东,过程 ... -
我迷茫,我应该怎么走。望各位JE大哥指点!
2010-03-26 09:56 1625小弟六月毕业,在学校还算好学生,从大二起接触编程,,那时的编程 ... -
xp桌面回收站恢复
2010-02-21 19:14 830开始-运行gpedit.msc-本地计算机策略-用户配 ... -
MyEclipse7.5注册机
2010-01-25 17:29 930首先感谢提供源码的那位大牛,我只是做成了exe执行文件而已 -
DSA和RSA算法的差异
2009-11-20 19:13 15521978年就出现了这种算法 ... -
仿Google自动补全 jquery
2009-11-20 16:40 2834应大家要求,发一个包,方便大家使用,有问题欢迎e-mail : ... -
对称加密的两种方式
2009-11-18 22:33 1817对称加密,这东东现在 ... -
java简单对象池
2009-11-10 20:53 3938在项目中用到,自己写了个对象池的管理(创建、保留、获取),那种 ... -
仿Google自动补全 jQuery 不含索引处理 2
2009-11-08 14:39 1043Servlet。。。。。。。。。。。。。。。。。 pu ... -
仿Google自动补全 jQuery 不含索引处理
2009-11-08 14:29 1312自动补全 1. 页面有一个文本框,一个自动提示层,一个按 ... -
Java数据库通用查询及封装
2009-11-08 13:54 6243Java数据库通用查询及封装 时常在网上看到,有关Java数据 ... -
Java实现快排的算法
2009-10-14 22:28 2922Java实现快排的算法 public class Quick ... -
Collection List Set Map 区别记忆
2009-10-13 20:15 889一篇对Java集合讲解不错的文档,不是我写的,转过来和大家分享 ... -
List Set Map实现机制
2009-10-13 20:07 1868List接口对Collection进行 ...
相关推荐
活动目录编程(LDAP)活动目录编程(LDAP)活动目录编程(LDAP)活动目录编程(LDAP)
LDAP 查询指定目录-所有活动用户
LDAP Account Manager 4.0 是一款通过LDAP来实现用户管理的信息化管理软件,本资源提供相关的源代码。
LDAP的基本概念LDAP是轻量目录访问协议(Lightweight Directory Access Protocol)的缩写,是一种基于 客户机/服务器模式的目录服务访问协议.其实是一话号码簿,LDAP是一种特殊的数据库。LDAP目录的优势LDAP协议是跨...
ldap-account-manager-3.7 ldap-account-manager-3.7ldap-account-manager-3.7
LDAP是轻量级目录访问协议的简称(Lightweight Directory Access Protocol).用于访问目录服务。它是X.500目录访问协议的移植,但是简化了实现方法。本文给大家带来LDAP使用手册,需要的可以来下载看看 LDAP的优点 1:...
LDAP协议,目前普遍使用的目录访问协议,可用来进行用户验证等。
ldap页面化管理工具,ldap-account-manager-5.0.tar.gz
从简单介绍X.500协议出发,介绍LDAP的起源,简要比较LDAP与X.500协议的区别,概述LDAP框架模型;从应用目录服务角度,简述了LDAP目录服务功能模块和工作流程;介绍分析LDAP目录服务发展现状;最后预测其发展方向。
在分布式计算环境中,基于LDAP协议的目录服务正起着越来越重要的作用。针对LDAP目录访问中的性能、可靠性、开发复杂度等 问题,该文将连接池的概念引入LDAP目录访问,实现了一个功能完整的通用LDAP连接池系统。...
4 2 LDAP 目录服务的应用..............................................29 4 3 LDAP 的基本结构和功能..........................................30 吉大正元信息技术股份有限公司 JIT-CA/目录服务培训教程5 4 4 ...
某金融机构身份国产化LDAP目录服务建设案例分析.docx
LDAP API简化了因特网目录服务应用程序的开发,并可使程序进行于各种与LDAP兼容的目录服务上,其中包括活动目录服务。本书易于浏览、使用,具有高度精炼、快速查找、合理组织的特点。是Windows编程参考系列(WPRS)...
LDAP认证——配置UNIX和Linux客户端使用活动目录.pdf
LDAP是一种轻量级目录访问协议,用于在网络中访问分布式目录服务。要连接到LDAP目录,需要一种LDAP连接工具。 以下是一些常用的LDAP连接工具: ## 1. Apache Directory Studio Apache Directory Studio是一个开源...
在企业范围内实现 LDAP 可以让运行在几乎所有计算机平台上的 所有的应用程序从 LDAP 目录中获取信息。LDAP 目录中可以存储各种类型的数据:电子 邮件地址、邮件路由信息、人力资源数据、公用密匙、联系人列表,等等...
LDAP入門,LDAP入門LDAP入門LDAP入門LDAP入門LDAP入門LDAP入門LDAP入門LDAP入門LDAP入門LDAP入門LDAP入門
基于Linux的LDAP应用环境研究与目录服务实现.pdf
ldap 使用它来根据ldap或活动目录的主机... 正确使用tls / ssl连接到ldap或活动目录是必需的,但并不是那么容易。 特别是如果活动目录是创造性配置的。 在使用Wireshark或类似的工具进行生产测试之前,请先使用TLS。