AD user account status

Code to AD properties

value is the addition of codes

reference: 
http://medgarnet.blogspot.com/2010/05/ad-useraccountcontrol-values.html
https://support.microsoft.com/en-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
http://ananthdeodhar.com/php-active-directory-integration-get-useraccountcontrol-attributes/

512 - Enable Account
514 - Disable account (512 + 2)
544 - Account Enabled - Require user to change password at first logon (512 + 32)
4096 - Workstation/server
66048 - Enabled, password never expires (512 + 65536)
66050 - Disabled, password never expires (512 + 2 + 65536)
66080 - Enabled, DONT_EXPIRE_PASSWORD - PASSWD_NOTREQD 
262656 - Smart Card Logon Required
532480 - Domain controller


1 - script
2 - accountdisable
8 - homedir_required
16 - lockout
32 - password_not_reqd
64 - password_cant_change
128 - encrypted_text_pwd_allowed
256 - temp_duplicate_account
512 - normal_account
2048 - interdomain_trust_account
4096 - workstation_trust_account
8192 - server_trust_account
65536 - dont_expire_password
131072 - mns_logon_account
262144 - smartcard_required
524288 - trusted_for_delegation
1048576 - not_delegated
2097152 - use_des_key_only
4194304 - dont_req_preauth
8388608 - password_expired
16777216 - trusted_to_auth_for_delegation

SCRIPT	0x0001	1
ACCOUNTDISABLE	0x0002	2
HOMEDIR_REQUIRED	0x0008	8
LOCKOUT	0x0010	16
PASSWD_NOTREQD	0x0020	32
PASSWD_CANT_CHANGE	0x0040	64
Note You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the "Property flag descriptions" section.
ENCRYPTED_TEXT_PWD_ALLOWED	0x0080	128
TEMP_DUPLICATE_ACCOUNT	0x0100	256
NORMAL_ACCOUNT	0x0200	512
INTERDOMAIN_TRUST_ACCOUNT	0x0800	2048
WORKSTATION_TRUST_ACCOUNT	0x1000	4096
SERVER_TRUST_ACCOUNT	0x2000	8192
DONT_EXPIRE_PASSWORD	0x10000	65536
MNS_LOGON_ACCOUNT	0x20000	131072
SMARTCARD_REQUIRED	0x40000	262144
TRUSTED_FOR_DELEGATION	0x80000	524288
NOT_DELEGATED	0x100000	1048576
USE_DES_KEY_ONLY	0x200000	2097152
DONT_REQ_PREAUTH	0x400000	4194304
PASSWORD_EXPIRED	0x800000	8388608
TRUSTED_TO_AUTH_FOR_DELEGATION	0x1000000	16777216
PARTIAL_SECRETS_ACCOUNT	0x04000000	67108864

----------------------------------------------------------------------------

PS C:\> Get-ADPrincipalGroupMembership -Identity username| select Name | Where-Object {$_.name -like '*ad group*' -or $_.name -like '*ADNAME*' } | Sort Name

GC authentication and sql windows auth for wildfly and how to download cert from command window.

LDAP access on port 3268 to a local agency Global Catalog server will allow for searching the entire Forest for users. Below is an example in PowerShell. First if I use my local DC on the normal port 389 it will not return any user information for DC1, and just returns an error:

Get-AdUser -Server dc1.domain.com:389 -SearchBase 'DC=dc2,DC=domain,DC=com' -Filter {UserPrincipalName -like "dc2user@domain.com"}

Get-AdUser -Server dc1.domain.com:389 -SearchBase 'DC=dc2,DC=domain,DC=com' -Filter {SAMAccountName -like "dc2user"}

Get-AdUser : The supplied distinguishedName must belong to one of the following partition(s): 'CN=Configuration,DC=domain,DC=com , CN=Schema,CN=Configuration,DC=domin,DC=com, DC=dc2,DC=domain,DC=com

, DC=DomainDnsZones,DC=dc2,DC=domain,DC=com, DC=ForestDnsZones,DC=domain,DC=com'.

At line:1 char:1

+ Get-AdUser -Server dc1.domain.com -SearchBase 'DC=dc2,DC=domin,DC=com' -Fi ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : InvalidArgument: (:) [Get-ADUser], ArgumentException

    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADUser

However if I use it on the Global Catalog port, I can search dc2users (or indeed users anywhere in the Forest):

Get-AdUser -Server dc1.domain.com:3269 -SearchBase 'DC=dc2,DC=domain,DC=com' -Filter {UserPrincipalName -like "dc2user@domain.com"}

Get-AdUser -Server dc1.domain.com:3269 -SearchBase 'DC=dc2,DC=domain,DC=com' -Filter {SAMAccountName -like "dc2user"}

Global Catalogs allow you to get information about any user on the domain Forest without having to go to every single DC directly to do it. If you’re trying to do an LDAP integration that will work for users from multiple domains, using local GCs is the quickest and most reliable way to do it without having to add any extra logic to go to the correct DC.

-------------------------------------------------------------------------------------------------

SQL windows authentication 

1) put mssql-jdbc_auth-8.2.2.x64.dll and sqljdbc_auth.dll in wildflyhome\bin

2) <connection-url>jdbc:sqlserver://myserverurl;databaseName=mydb;integratedSecurity=true</connection-url>

     <security>

                <user-name></user-name>

                <password></password>

    </security>

----------------------------------------------------------------------------------------------------

keytool -printcert -sslserver ldapserver.domain.com:3269

openssl s_client -showcerts -connect ldapserver.domain.com:3269

cancel the popup window

the 64 base string will be within begin certificate and end certificate.

----------------------------------------------------------------------------------------------------

nltest /dclist:domain.div.com    get all names for dns

nslookup domain.div.com          get all ips for dns

nslookup                                     get all domain controller ip

netstat -a -o

dsa.msc 

dsquery server

-----------------------------------------------------------------------------------------