; This file contains a list of constants commonly used with the ADSI extender. ; Meaning of bits in userFlags properties of a WinNT: and the userAccountControl property of a LDAP: namespaces' user object. ; Operating System = Windows NT 4.0 / Windows 2000 ; Namespace = WinNT, LDAP ; object class = user ; properties = userFlags (WinNT), userAccountControl (LDAP on Windows 2000) ; The following used with both userFlags and userAccountControl UF_SCRIPT = 1 ; The logon script will be executed. UF_ACCOUNTDISABLE = 2 ; The user's account is disabled. UF_HOMEDIR_REQUIRED = 8 ; The home directory is required. UF_LOCKOUT = 16 ; The account is currently locked out. UF_PASSWD_NOTREQD = 32 ; No password is required. UF_PASSWD_CANT_CHANGE = 64 ; The user cannot change the password. You can read this flag ; but you cannot set it directly. UF_DONT_EXPIRE_PASSWD = 65536 ; The password, which should never expire on the account. UF_TEMP_DUPLICATE_ACCOUNT = 256 ; This is an account for users whose primary account is in another domain. ; This account provides user access to this domain, but not to any domain ; that trusts this domain. Sometimes it is referred to as a local user account. UF_NORMAL_ACCOUNT = 512 ; This is a default account type that represents a typical user. UF_INTERDOMAIN_TRUST_ACCOUNT = 2048 ; This is a permit to trust account for a system domain that trusts other domains. UF_WORKSTATION_TRUST_ACCOUNT = 4096 ; This is a computer account that is a member of this domain. UF_SERVER_TRUST_ACCOUNT = 8192 ; This is a computer account for a system backup domain controller that is a member of this domain. ; The following used with userFlags only. UF_ENCRYPTED_PASSWORD_ALLOWED = 128 ; The user can send an encrypted password. (Windows 2000 only) UF_MNS_LOGON_ACCOUNT = 131072 ; This is an MNS logon account. UF_SMARTCARD_REQUIRED = 262144 ; When set, this flag will force the user to log on using smart card. (Windows 2000 only) UF_TRUSTED_FOR_DELEGATION = 524288 ; When set, the service account (user or computer account), under which a service runs, ; is trusted for Kerberos delegation. Any such service can impersonate a client requesting ; the service. To enable a service for Kerberos delegation, you must set this flag on the ; userAccountControl property of the service account. (Windows 2000 only) UF_NOT_DELEGATED = 1048576 ; When set, the security context of the user will not be delegated to a service even ; if the service account is set as trusted for Kerberos delegation ; Guid used to prevent a user from changing their password. ; Operating System = Windows 2000 ; Namespace = LDAP: ; Object class = user ; Property = ntSecurityDescriptor ; Security object = ACE ; Security Property = ObjectType CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}" ; Constant used it indicate that a user has unlimited disk storage rights. ; Operating System = Windows NT 4.0 / Windows 2000 ; Namespace = LDAP: ; object class = user ; properties = maxStorage USER_MAXSTORAGE_UNLIMITED = -1 ; Use all available disk space. ; Meaning of bits in groupType property of a LDAP namespace's group object. ; Operating System = Windows 2000 ; Namespace = LDAP ; object class = group ; properties = groupType GLOBAL_GROUP = 2 ; Group that contains only accounts and other account groups from its own domain. ; This group may be exported to a different domain. DOMAIN_LOCAL_GROUP = 4 ; Group that can contain accounts and universal groups from any domains. It may ; not be included in either access-control lists of resources in other domains or ; groups other than global groups in the same domain. LOCAL_GROUP = 4 ; This bit is for the WinNT provider as the DOMAIN_LOCAL_GROUP bit is for the LDAP provider. UNIVERSAL_GROUP = 8 ; Group that can contain accounts and account groups from any domains, but not domain local groups. SECURITY_ENABLED = 2147483648 ; If this bit is set, the group is a security group. If this bit is not set, the group is a distribution group. ; The following values are for security objects all accessed through the ntSecurityDescriptor property. ; Some can also be used with the NT-Security-Descriptor property of a mailbox object ; Current revision of security descriptor . ; Operating System = Windows 2000 ; Namespace = LDAP ; Security object = Security Descriptor ; Property = Revision ACL_REVISION = 2 ACL_REVISION_DS = 4 ; If the DACL contains an object-specific ACE you must use this. ; Current revision of Access Control List. ; Operating System = Windows 2000 ; Namespace = LDAP ; Security object = Access Control List ; Property = AclRevision ACL_REVISION = 2 ACL_REVISION_DS = 4 ; If the ACL contains an object-specific ACE you must use this. ; Bit values associated with the Security Descriptor Control property. ; Operating System = Windows 2000 ; Namespace = LDAP ; Security object = Security Descriptor ; Property = Control OWNER_DEFAULTED = 1 ; A default mechanism, rather than the the original provider of the ; security descriptor, provided the security descriptor's owner security identifier (SID). GROUP_DEFAULTED = 2 ; A default mechanism, rather than the the original provider of the security descriptor, ; provided the security descriptor's group SID. DACL_PRESENT = 4 ; Indicates a security descriptor that has a DACL. If this flag is not set, or if this ; flag is set and the DACL is NULL, the security descriptor allows full access to everyone. DACL_DEFAULTED = 8 ; Indicates a security descriptor with a default DACL. For example, if an ; object's creator does not specify a DACL, the object receives the default DACL ; from the creator's access token. SACL_PRESENT = 16 ; Indicates a security descriptor that has a DACL. This flag is used to hold the ; security information specified by a caller until the security descriptor is associated ; with a securable object. SACL_DEFAULTED = 32 ; A default mechanism, rather than the the original provider of the security descriptor, ; provided the SACL. DACL_AUTO_INHERIT_REQ = 256 ; The DACL of the security descriptor must be inherited. SACL_AUTO_INHERIT_REQ = 512 ; The SACL of the security descriptor must be inherited. DACL_AUTO_INHERITED = 1024 ; Indicates a security descriptor in which the DACL is set up ; to support automatic propagation of inheritable ACEs to existing child objects. SACL_AUTO_INHERITED = 2048 ; The SACL of the security descriptor supports automatic propagation of inheritable ; ACEs to existing child objects. DACL_PROTECTED = 4096 ; The security descriptor will not allow inheritable ACEs to modify the DACL. SACL_PROTECTED = 8192 ; The security descriptor will not allow inheritable ACEs to modify the SACL. SELF_RELATIVE = 32768 ; The security descriptor is of self-relative format with all the security information ; in a continuous block of memory. ; Bit values associated with an Access Control Entry's AccessMask property. ; Operating System = Windows 2000 ; Namespace = LDAP ; Security object = ACE ; Property = AccessMask DELETE = 65536 ; The right to delete the object. READ_CONTROL = 131072 ; The right to read information from the security descriptor of the object, ; not including the information in the SACL. WRITE_DAC = 262144 ; The right to modify the discretionary access-control list (DACL) in the ; object's security descriptor. WRITE_OWNER = 524288 ; The right to assume ownership of the object. The user must be a trustee ; of the object. The user cannot transfer the ownership to other users. SYNCHRONIZE = 1048576 ; The right to use the object for synchronization. This enables a thread ; to wait until the object is in the signaled state. ACCESS_SYSTEM_SECURITY = 16777216 ; The right to get or set the SACL in the object's security descriptor. GENERIC_READ = 2147483648 ; The right to read from the security descriptor, examine the object as ; well as its children, and read all properties. GENERIC_WRITE = 1073741824 ; The right to write all the properties and write to the DACL. The user ; can add and remove the object to and from the directory. GENERIC_EXECUTE = 536870912 ; The right to list children of this object. GENERIC_ALL = 268435456 ; The right to create or delete children, delete a subtree, read and write ; properties, examine children and the object itself, add and remove the ; object from the directory, and read or write with an extended right. DS_CREATE_CHILD = 1 ; The right to create children of the object. The ObjectType member of an ; ACE can contain a GUID that identifies the type of child object whose ; creation is being controlled. If ObjectType does not contain a GUID, the ; ACE controls the creation of all child object types. DS_DELETE_CHILD = 2 ; The right to delete children of the object. The ObjectType member of an ; ACE can contain a GUID that identifies a type of child object whose ; deletion is being controlled. If ObjectType does not contain a GUID, the ; ACE controls the deletion of all child object types. ACTRL_DS_LIST = 4 ; The right to list children of this object. DS_SELF = 8 ; The right to modify the group membership of a group object. DS_READ_PROP = 16 ; The right to read properties of the object. The ObjectType member of an ; ACE can contain a GUID that identifies a property set or property. If ; ObjectType does not contain a GUID, the ACE controls the right to read ; all of the object's properties. DS_WRITE_PROP = 32 ; The right to write properties of the object. The ObjectType member of ; an ACE can contain a GUID that identifies a property set or property. ; If ObjectType does not contain a GUID, the ACE controls the right to ; write all of the object's properties. DS_DELETE_TREE = 64 ; The right to delete all children of this object, regardless of the ; permission on the children. DS_LIST_OBJECT = 128 ; The right to list a particular object. If the user is not granted such ; a right, the object is hidden from the user. DS_CONTROL_ACCESS = 256 ; The right to perform an operation controlled by an extended access right. ; The ObjectType member of an ACE can contain a GUID that identifies the ; extended right. If ObjectType does not contain a GUID, the ACE controls ; the right to perform all extended right operations associated with the object. ;************************************Exchange 5.5 only********************************************** ; The Exchange 5.5's mailbox security descriptor has different meanings for several AccessMask bits. ; Operating System = Windows 2000, NT 4.0 ; Namespace = LDAP ; Security object = ACE ; Property = AccessMask EXCH_MODIFY_USER_ATT = 2 ; Modify User Attributes EXCH_MAIL_SEND_AS = 8 ; Send As EXCH_MAIL_RECEIVE_AS = 16 ; Mailbox Owner ; The Exchange 5.5 secuirty descriptors for container objects have these bit values associated with ; their Access Control Entry's AccessMask property. ; Operating System = Windows 2000, NT 4.0 ; Namespace = LDAP ; Security object = ACE ; Property = AccessMask RIGHT_DS_ADD_CHILD = 1 RIGHT_DS_MODIFY_USER_ATT = 2 RIGHT_DS_MODIFY_ADMIN_ATT = 4 RIGHT_DS_DELETE = 65536 RIGHT_MAIL_SEND_AS = 8 RIGHT_MAIL_RECEIVE_AS = 16 RIGHT_MAIL_ADMIN_AS = 32 RIGHT_DS_REPLICATION = 64 RIGHT_DS_MODIFY_SEC_ATT = 128 RIGHT_DS_SEARCH = 256 ;***********************************End Exchange 5.5 only******************************************* ; Values associated with an Access Control Entry's AceType property. ; Operating System = Windows 2000 ; Namespace = LDAP ; Security object = ACE ; Property = AceType ACCESS_ALLOWED = 0 ; The ACE is of the standard ACCESS ALLOWED type, where the ObjectType and ; InheritedOjectType fields are NULL. ACCESS_DENIED = 1 ; The ACE is of the standard ACCESS_DENIED type, where the ObjectType and ; InheritedObjectType fields are NULL. SYSTEM_AUDIT = 2 ; The ACE is of the standard system type, where the ObjectType and ; InheritedObjectType fields are NULL. ACCESS_ALLOWED_OBJECT = 5 ; The ACE is of the ADSI extension of the ACCESS ALLOWED type, where either ; ObjectType or InheritedObjectType or both contain a GUID. ACCESS_DENIED_OBJECT = 6 ; The ACE is of the ADSI extension of the ACCCESS_DENIED type, where either ; ObjectType or InheritedObjectType or both contain a GUID. SYSTEM_AUDIT_OBJECT = 7 ; The ACE is of the ADSI extension of the system type, where either ObjectType ; or InheritedObjectType or both contain a GUID. ; Bit values associated with an Access Control Entry's AceFlag property. ; Operating System = Windows 2000 ; Namespace = LDAP ; Security object = ACE ; Property = AceFlags INHERIT_ACE = 2 ; Child objects will inherit this access-control entry (ACE). The inherited ; ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE flag is set. NO_PROPAGATE_INHERIT_ACE = 4 ; ADSI will clear the INHERIT_ACE flag for the inherited ACEs of ; child objects. This prevents the ACE from being inherited by subsequent ; generations of objects. INHERIT_ONLY_ACE = 8 ; Indicates an inherit-only ACE that does not exercise access control on the ; object to which it is attached. If this flag is not set, the ACE is an ; effective ACE that exerts access control on the object to which it is attached. INHERITED_ACE = 16 ; Indicates whether or not the ACE was inherited. The system sets this bit. VALID_INHERIT_FLAGS = 31 ; Indicates whether the inherit flags are valid. The system sets this bit. SUCCESSFUL_ACCESS = 64 ; Generates audit messages for successful access attempts, used with ACEs that ; audit the system in a system access-control list (SACL). FAILED_ACCESS = 128 ; Generates audit messages for failed access attempts, used with ACEs that audit ; the system in a SACL. ; Bit values associated with an Access Control Entry's Flags property. ; Operating System = Windows 2000 ; Namespace = LDAP ; Security object = ACE ; Property = Flags OBJECT_TYPE_PRESENT = 1 ; The ObjectType field is present in the ACE, but InheritedObjectType is not. INHERITED_OBJECT_TYPE_PRESENT = 2 ; The InheritedObjectType field is present in the ACE, but ObjectType is not. ; Possible values for the Authentication method (3rd) parameter of the dsSetCredentx function. ; Use these values to control the CLEAR_TEXT = 0 ; Use basic authentication to bind to directory service objects. SECURE_AUTHENTICATION = 1 ; Requests secure authentication. When this flag is set, the WinNT provider uses NTLM ; to authenticate the client. Active Directory will use Kerberos, and possibly NTLM, ; to authenticate the client. When the user name and password are NULL, the extender ; binds to the object using the security context of the user account under which ; WinBatch is running. USE_ENCRYPTION = 2 ; Use encryption for data exchange over the network. USE_SSL = 2 ; Data will be encrypted using SSL. READONLY_SERVER = 4 ; For a WinNT provider, the extender tries to connect to a primary domain ; controller (PDC) or a backup domain controller (BDC). For Active Directory, this ; flag indicates that a writeable server is not required for a serverless binding. PROMPT_CREDENTIALS = 8 ; Not supported. NO_AUTHENTICATION = 16 ; The providers may attempt to bind the client to an object, as an anonymous user. ; The WinNT provider does not support this flag. FAST_BIND = 32 ; This flag is not supported by the extender. USE_SIGNING = 64 ; Verifies data integrity to ensure the data received is the same as the data sent. ; The SECURE_AUTHENTICATION flag must be set also. USE_SEALING = 128 ; Encrypts data using Kerberos. The SECURE_AUTHENTICATION flag must be set also. USE_DELEGATION = 256 ; Enables the extender to delegate the user's security context, which is necessary ; for moving objects across domains. SERVER_BIND = 512 ; Windows 2000 SP1 and later: Specify this flag when using the LDAP provider if your ; ADsPath includes a server name. Do not use this flag for paths that include a domain ; name or for serverless paths. If you specify a server name without also specifying ; this flag, unnecessary network traffic is the result. ; The SECURE_AUTHENTICATION flag can be used in combination with other flags such as READONLY_SERVER, ; PROMPT_CREDENTIALS, FAST_BIND, USE_SIGNING, USE_SEALING AND SERVER_BIND.