Source code

001package com.hfg.ldap.ad;
002
003
004import java.util.ArrayList;
005import java.util.EnumSet;
006import java.util.List;
007
008//------------------------------------------------------------------------------
009/**
010 Active Directory user account control flags.
011 <div>
012  These are the default UserAccountControl values for the certain objects:
013  <ul>
014   <li>Typical user : 0x200 (512)</li>
015   <li>Domain controller : 0x82000 (532480)</li>
016   <li>Workstation/server: 0x1000 (4096)</li>
017  </ul>
018 </div>
019 <div>
020 @author J. Alex Taylor, hairyfatguy.com
021 </div>
022 */
023//------------------------------------------------------------------------------
024// com.hfg XML/HTML Coding Library
025//
026// This library is free software; you can redistribute it and/or
027// modify it under the terms of the GNU Lesser General Public
028// License as published by the Free Software Foundation; either
029// version 2.1 of the License, or (at your option) any later version.
030//
031// This library is distributed in the hope that it will be useful,
032// but WITHOUT ANY WARRANTY; without even the implied warranty of
033// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
034// Lesser General Public License for more details.
035//
036// You should have received a copy of the GNU Lesser General Public
037// License along with this library; if not, write to the Free Software
038// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
039//
040// J. Alex Taylor, President, Founder, CEO, COO, CFO, OOPS hairyfatguy.com
041// jataylor@hairyfatguy.com
042//------------------------------------------------------------------------------
043
044public enum UserAccountControlFlag
045{
046   /** The logon script will be run. */
047   SCRIPT(1),
048   /** The user account is disabled. */
049   ACCOUNTDISABLE(2),
050   /** The home folder is required. */
051   HOMEDIR_REQUIRED(8),
052   /** The user account is locked. */
053   LOCKOUT(16),
054   /** No password is required. */
055   PASSWD_NOTREQD(32),
056   /** The user cannot change the password. */
057   PASSWD_CANT_CHANGE(64),
058   /** The user can send an encrypted password. */
059   ENCRYPTED_TEXT_PWD_ALLOWED(128),
060   /** This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. */
061   TEMP_DUPLICATE_ACCOUNT(256),
062   /** This is a default account type that represents a typical user. */
063   NORMAL_ACCOUNT(512),
064   /** This is a permit to trust an account for a system domain that trusts other domains. */
065   INTERDOMAIN_TRUST_ACCOUNT(2048),
066   /** This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. */
067   WORKSTATION_TRUST_ACCOUNT(4096),
068   /** This is a computer account for a domain controller that is a member of this domain. */
069   SERVER_TRUST_ACCOUNT(8192),
070   /** Represents the password, which should never expire on the account. */
071   DONT_EXPIRE_PASSWORD(65536),
072   /** This is an MNS logon account. */
073   MNS_LOGON_ACCOUNT(131072),
074   /** When this flag is set, it forces the user to log on by using a smart card. */
075   SMARTCARD_REQUIRED(262144),
076   /** When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account. */
077   TRUSTED_FOR_DELEGATION(524288),
078   /** When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation. */
079   NOT_DELEGATED(1048576),
080   /** (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys. */
081   USE_DES_KEY_ONLY(2097152),
082   /** (Windows 2000/Windows Server 2003) This account does not require Kerberos pre-authentication for logging on. */
083   DONT_REQ_PREAUTH(4194304),
084   /** (Windows 2000/Windows Server 2003) The user's password has expired. */
085   PASSWORD_EXPIRED(8388608),
086   /** (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.  */
087   TRUSTED_TO_AUTH_FOR_DELEGATION(16777216),
088   /** (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. */
089   PARTIAL_SECRETS_ACCOUNT(67108864);
090
091   private int mBit;
092
093   //--------------------------------------------------------------------------
094   UserAccountControlFlag(int inBit)
095   {
096      mBit = inBit;
097   }
098
099   //--------------------------------------------------------------------------
100   public int intValue()
101   {
102      return mBit;
103   }
104
105
106   //--------------------------------------------------------------------------
107   public static EnumSet<UserAccountControlFlag> fromBitFlags(int inValue)
108   {
109      List<UserAccountControlFlag> flags = new ArrayList<>(5);
110
111      for (UserAccountControlFlag flag : UserAccountControlFlag.values())
112      {
113         if ((inValue & flag.intValue()) == flag.intValue())
114         {
115            flags.add(flag);
116         }
117      }
118
119      return EnumSet.copyOf(flags);
120   }
121}