Share via

Changing the UserAccountControl attribute without having to delete the user's profile

Filip Jakub 0 Reputation points
2023-10-23T07:10:46.6466667+00:00

Good day,

we are solving a problem with the UserAccountControl attribute in the user settings in Active Directory.

The normal value of this attribute is 0x200 (512). But some legacy accounts of our organization have this value set to 0x220 (544), that is (PASSWD_NOTREQD | NORMAL_ACCOUNT).

If we change the attribute value 0x220 (544) to 0x200 (512), this change will no longer be reflected in the created user profile on the workstation (computer, laptop).

The change will only take effect if we delete the user profile and then create a new user profile. But this solution is undesirable. we do not want to delete user profiles. Because each user profile has its own settings, for example for applications.

Is there a way to apply the attribute change to the created user profile without having to delete the user profile on the workstation?

Thank you

Jakub

Windows for business Windows Client for IT Pros Directory services Active Directory

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Filip Jakub 0 Reputation points
    2023-10-23T12:38:08.68+00:00

    Hi, thank you for you answer. I mean Properties of Domain Users, Attribute Editor, Attribut userAccountControl.

    We are using operating system Windows 10 on desktops.

    User's image

    0 comments
  2. Gary Reynolds 9,621 Reputation points
    2023-10-24T02:05:43.1766667+00:00

    Hi, I dont believe there is a correlation between the useraccountrol and the user profile on the workstation. Are you saying, if you remove the password not required flag from the user's account in AD, and if the user already has a profile on a workstation, they are still able to set a blank password on their AD account.

    0 comments
  3. Filip Jakub 0 Reputation points
    2023-10-24T11:29:56.3866667+00:00

    Hi Gary,

     

    I will try to describe my problem one more time and more deeper.

    We are trying to solve problem with attribute UserAccountControl. On this site you can see all values for attribute UserAccountControl:

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties

     

    We have two types of users in Active Directory:

    1)      Users with attribute UserAccountControl = 0x220 (544) – it is bad state

    User's image

     

    2)      Users with attribute UserAccountControl = 0x200 (512) – it is good state

    User's image

     

     

    What does this setting do?

    For example:

    Users with attribute UserAccountControl 0x220 (544) can run Task Manager without entering credentials. It is danger.

     

    Users with attribute UserAccountControl 0x200 (512) must enter credentials for run Task Manager.

    User's image

     

     

    And we need to solve the following problem.

    I will describe the steps.

    1)      User with attribute UserAccountControl 0x220 (544) has a profile created on his Workstation, Windows 10 Pro.

    2)      I change attribute UserAccount Control from 0x220 (544) to 0x200 (512). I restarted Workstation.

    3)      This change is not function on Workstation, where user has created userprofile.

    Now user has attribute with value 0x200, but still he does not need to enter credentials.

    4)      When user try to login to other Workstation, where he has not his userprofile, change is function. User must enter credentials.

    I need help with a solution to apply the change to the UserAccountControl attribute without having to delete the user profile on his workstation.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.