3.1.1.8.1 objectClass
If the objectClass attribute value is user or computer, or derived from either of these classes, all of the following constraints MUST be satisfied:
The objectSid attribute MUST be updated according to the supplemental trigger specified in section 3.1.1.9.2.
The following attributes MUST be updated with the associated values if no value is present in the database.
Attribute
Value
badPwdCount
0
codePage
0
countryCode
0
badPasswordTime
0
lastLogoff
0
lastLogon
0
pwdLastSet
0
accountExpires
0x7FFFFFFF FFFFFFFF (default value)
logonCount
0
If the value of the userAccountControl attribute in the database contains a bit that is specified in the following table, the sAMAccountType attribute MUST be updated with the corresponding value.
userAccountControl
sAMAccountType
UF_NORMAL_ACCOUNT
SAM_USER_OBJECT
UF_INTERDOMAIN_TRUST_ACCOUNT
SAM_TRUST_ACCOUNT
UF_WORKSTATION_TRUST_ACCOUNT
SAM_MACHINE_ACCOUNT
UF_SERVER_TRUST_ACCOUNT
SAM_MACHINE_ACCOUNT
If the value of the userAccountControl attribute in the database contains a bit or bit combination that is specified in the following table, the primaryGroupId attribute MUST be updated with the corresponding value.
userAccountControl
primaryGroupId
UF_NORMAL_ACCOUNT
DOMAIN_GROUP_RID_USERS
UF_INTERDOMAIN_TRUST_ACCOUNT
DOMAIN_GROUP_RID_USERS
UF_WORKSTATION_TRUST_ACCOUNT
DOMAIN_GROUP_RID_COMPUTERS
UF_SERVER_TRUST_ACCOUNT
DOMAIN_GROUP_RID_CONTROLLERS
UF_WORKSTATION_TRUST_ACCOUNT & UF_PARTIAL_SECRETS_ACCOUNT
DOMAIN_GROUP_RID_READONLY_CONTROLLERS
If the value of the userAccountControl attribute in the database contains a bit that is specified in the following table, the userAccountControl attribute MUST be updated with the corresponding bit(s) using a bitwise OR.
userAccountControl
userAccountControl bits to augment existing value
UF_NORMAL_ACCOUNT
UF_ACCOUNTDISABLE
UF_PASSWD_NOTREQD
If the objectClass attribute value is group or is derived from this class, all of the following constraints MUST be satisfied:
The objectSid attribute MUST be updated according to the supplemental trigger specified in section 3.1.1.9.2.
The groupType attribute MUST be updated, if no value is present in the database, with the value GROUP_TYPE_SECURITY_ACCOUNT.
The sAMAccountType attribute MUST be updated with the value dictated by an exact match with the value in the groupType attribute.
groupType
sAMAccountType
GROUP_TYPE_SECURITY_ACCOUNT
SAM_GROUP_OBJECT
GROUP_TYPE_ACCOUNT_GROUP
SAM_NON_SECURITY_GROUP_OBJECT
GROUP_TYPE_SECURITY_RESOURCE
SAM_ALIAS_OBJECT
GROUP_TYPE_RESOURCE_GROUP
SAM_NON_SECURITY_ALIAS_OBJECT
GROUP_TYPE_SECURITY_UNIVERSAL
SAM_GROUP_OBJECT
GROUP_TYPE_UNIVERSAL_GROUP
SAM_NON_SECURITY_GROUP_OBJECT