Set-ADAccountControl

Modify the user account control (UAC) values for an AD account.

Syntax
      Set-ADAccountControl [-Identity] ADAccount
        [-AccountNotDelegated bool] [-AllowReversiblePasswordEncryption bool]
           [-AuthType {Negotiate | Basic}] [-CannotChangePassword bool]
              [-Credential PSCredential] [-DoesNotRequirePreAuth bool]
                 [-Enabled bool] [-HomedirRequired bool] [-MNSLogonAccount bool]
                    [-Partition String] [-PassThru] [-PasswordNeverExpires bool]
                       [-PasswordNotRequired bool] [-Server String]
                          [-TrustedForDelegation bool] [-TrustedToAuthForDelegation bool]
                             [-UseDESKeyOnly bool] [-Confirm] [-WhatIf] [CommonParameters]

Key
   -AccountNotDelegated bool
       Security delegation. When True, the security context of the user is not
       delegated to a service even when the service account is set as trusted for
       Kerberos delegation. Sets the AccountNotDelegated property for an AD account.
       This parameter also sets the ADS_UF_NOT_DELEGATED flag of the AD User Account
       Control (UAC) attribute.
       Values for this parameter: $false or 0, $true or 1

   -AllowReversiblePasswordEncryption bool
       Whether reversible password encryption is allowed for the account.
       This parameter sets the AllowReversiblePasswordEncryption property of the account.
       This also sets the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag of
       the AD User Account Control (UAC) attribute.
       Values for this parameter: $false or 0, $true or 1

   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.

   -CannotChangePassword bool
       Whether the account password can be changed.
       Sets the 'CannotChangePassword' property of an account.
       Values for this parameter: $false or 0, $true or 1

   -Credential PSCredential
       A user account that has permission to perform this action.
       The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
       in which case the account associated with the drive is the default.

       "User64" or "Domain01\User64" or a PSCredential object.

   -DoesNotRequirePreAuth bool
       Is Kerberos pre-authentication required to logon using the user/computer account.
       This parameter sets the ADS_UF_DONT_REQUIRE_PREAUTH flag of the AD User Account Control (UAC) attribute.
       Possible values: $false (or 0), $true (or 1)

   -Enabled bool
       Is the account is enabled. An enabled account requires a password.
       This parameter sets the Enabled property for an account object.
       This parameter also sets the ADS_UF_ACCOUNTDISABLE flag of the AD UAC attribute.
       Possible values: $false (or 0), $true (or 1)

   -HomedirRequired bool
       Is a home directory is required for the account.
       This parameter sets the ADS_UF_HOMEDIR_REQUIRED flag of the AD UAC attribute.
       Possible values: $false (or 0), $true (or 1)

   -Identity ADAccount
       Specify an AD domain object by providing one of the following values.
       (The identifier in parentheses is the LDAP display name for the attribute.)

          Distinguished Name 
            Example: DC=Helvetia,DC=corp,DC=SS64,DC=com 
          GUID (objectGUID) 
            Example: 599c4d2e-f72d-4d20-8a78-030d69495f20
          Security Identifier (objectSid) 
            Example: S-1-5-21-5165297888-301467370-576410423-1803
          Security Accounts Manager (SAM) Account Name (sAMAccountName)
            Example: Helvetia

       The cmdlet searches the default naming context or partition to find the object.
       If two or more objects are found, the cmdlet returns a non-terminating error.

       This parameter can also get this object through the pipeline or you can set this
       parameter to an object instance.

   -MNSLogonAccount bool
       Is the account is a Majority Node Set (MNS) logon account.
       This parameter also sets the ADS_UF_MNS_LOGON_ACCOUNT flag of the AD User Account Control (UAC) attribute.
       Use MNS logon accounts to configure a multi-node cluster without a shared disk drive.
       Possible values: $false (or 0), $true (or 1)

   -Partition string
       The distinguished name of an AD partition.
       The distinguished name must be one of the naming contexts on the current
       directory server. The cmdlet searches this partition to find the object defined by
       the -Identity parameter. 
       The following two examples show how to specify a value for this parameter.
          -Partition "CN=Configuration,DC=Europe,DC=Test,DC=SS64,DC=com"
          -Partition "CN=Schema,CN=Configuration,DC=Europe,DC=Test,DC=SS64,DC=com"
          
       In many cases, a default value will be used for -Partition if no value is specified.

   -PassThru
       Return the new or modified object.
       By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.

   -PasswordNeverExpires bool
       Specifies whether the password of an account can expire.
       This parameter cannot be set to True for an account that also has ChangePasswordAtLogon = True.

       This parameter sets the PasswordNeverExpires property of an account object.
       This parameter also sets the ADS_UF_DONT_EXPIRE_PASSWD flag of the AD User Account Control (UAC) attribute.
       Possible values: $false (or 0), $true (or 1)

-Server string The AD Domain Services instance to connect to, this may be a Fully qualified domain name, NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance. Examples: demo.SS64.com demo demoDC02.demo.ss64.com demoDC02.demo.ss64.com:3268 -TrustedForDelegation bool Specifies whether an account is trusted for Kerberos delegation. A service that runs under an account that is trusted for Kerberos delegation can assume the identity of a client requesting the service. This parameter sets the TrustedForDelegation property of an account object. This value also sets the ADS_UF_TRUSTED_FOR_DELEGATION flag of the AD UAC attribute. Possible values: $false (or 0), $true (or 1) -TrustedToAuthForDelegation bool Specifies whether an account is enabled for delegation. When this parameter is set to true, a service running under such an account can impersonate a client on other remote servers on the network. This parameter sets the ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION flag of the AD UAC attribute. Possible values: $false (or 0), $true (or 1) -UseDESKeyOnly bool Specifies whether an account is restricted to use only Data Encryption Standard (DES) encryption types for keys.
This parameter sets the ADS_UF_USE_DES_KEY_ONLY flag of the AD User Account Control attribute. Possible values: $false (or 0), $true (or 1) -Confirm Prompt for confirmation before executing the command. -WhatIf Describe what would happen if you executed the command, without actually executing the command. CommonParameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -WarningAction, -WarningVariable, -OutBuffer -OutVariable.

Set-ADAccountControl modifies the user account control (UAC) values for an AD user or computer account.

The -Identity parameter specifies the AD account to modify. Identify an account by its distinguished name (DN), GUID, security identifier (SID) or security accounts manager (SAM) account name. Alternatively set the -Identity parameter to a user object variable, or pass a user object through the PowerShell pipeline. For example, from the Search-ADAccount, Get-ADUser, Get-ADComputer or Get-ADServiceAccount cmdlets.

Examples

Sets the UAC flag on the user account User64 to make sure that a password is required for logon:

PS C:\> Set-ADAccountControl user64 -PasswordNotRequired $false

Sets the password of the user to never expire:

PS C:\> Set-ADAccountControl user64 -PasswordNeverExpires $true

Set the security descriptor of the user so they cannot change their own password:

PS C:\> Set-ADAccountControl 'CN=user64,OU=UserAccounts,DC=SS64,DC=com' -CannotChangePassword $true

Set the flag on userAccountControl so that the account cannot be delegated:

PS C:\> Set-ADAccountControl SQLAdmin1 -AccountNotDelegated $true

Set the flag on userAccountControl so that the account is trusted to authenticate for delegation:

PS C:\> Set-ADAccountControl 'CN=IIS01 SvcAccount,OU=ServiceAccounts,OU=Managed,DC=SS64,DC=com' -TrustedToAuthForDelegation $true

The specified computer is now set to be trusted for delegation:

PS C:\> Set-ADAccountControl -Identity "Server64" -TrustedForDelegation $true

“I think the key is for women not to set any limits” ~ Martina Navratilova

Related:

Set-adAccountExpiration - Set the expiration date for an AD account
Enable-adAccount - Enable an Active Directory account
Reset-adServiceAccountPassword - Reset the service account password for a computer
Q305144 - UserAccountControl flags - user account properties


© Copyright SS64.com 1999-2013
Some rights reserved