SekChek for Active Directory: Glossary, Table _All_User_Accounts


Download SekChek for AD Glossary (PDF document)View glossary: Table _All_User_Accounts

The following table defines the columns displayed in table _All_User_Accounts. The table is contained in the MS-Access database or MS-Excel document, which forms part of your SekChek report.

Attribute

Definition

Path

The full path to the object

CN

The object’s Common Name

SAM Account Name

The logon name used to support clients and servers running earlier versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager.

Name

The user’s name.

Display Name

The display name for the object. This is usually the the users first name, middle initial, and last name.

User Principal Name (UPN)

An Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user email name.

Privilege

User, Administrator or Guest.

Description

Free-form description of the object.

Last Logon

The last time the user auccessfully logged on to the domain.

Last Logon DC

The Domain Controller that authenticated the user’s last logon.

Logon Count (NR)

The number of times the account has successfully logged on.

This value is not replicated.

Account Expires

The date when the account expires.

Password Changed

The date that the password for this account was last changed.

Password Must Change Next Logon

Indicates whether the user must set the password at the next logon.

No Password Required

Indicates whether the user can login with a null (blank) password.

See notes in report section Accounts not Requiring a Password and SekChek’s white paper on this topic.

User Cannot Change Password

Indicates whether the user is allowed to change the account’s password.

Password Never Expires

Indicates whether the password for the account will never expire.

Account Disabled

Indicates whether the user account is disabled.

Account Locked

Indicates whether the account is locked. Used internally.

Bad Password Count (NR)

The number of times the user tried to log on to the account using an incorrect password.

This value is not replicated.

Bad Password Time (NR)

The last date that an attempt to log on to the account was made with a password that is not valid.

This value is not replicated.

Lockout Time

The date that the account was locked out. This attribute value is only reset when the account is logged onto successfully.

Admin Count

Indicates that the object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively).

Logon Script Executed

Indicates whether the logon script is executed.

Home Dir Required

Indicates whether the home directory is required.

User Can Send Encrypted Password

Used internally.

Local Account

Indicates whether the account is for a user whose primary account is in another domain.

Normal Account

Indicates whether the account is a default account type that represents a typical user

Computer Account

Indicates whether the account is a computer account for a computer that is a member of this domain.

BDC Account

Indicates whether the account is a computer account for a system backup domain controller that is a member of this domain

MNS Logon Account

Indicates whether the account is an MNS logon account. Used internally.

Smart Card Required

Indicates whether the user must log on using a smart card. Used internally.

Trusted for Delegation

Indicates whether the account is trusted for Kerberos delegation.

Not Delegated

Indicates whether the security context of the account will not be delegated to a service even if the service account is set as trusted for Kerberos delegation

Use DES

Indicates whether the account is restricted to use only Data Encryption Standard (DES) encryption types for keys.

No Kerberos Preauthentication

Indicates whether the account does not require Kerberos pre-authentication for logon.

XP Passwd Expired

Used internally.

Trusted to Auth for Delegation

Indicates whether the account is enabled for delegation.

Valid Workstations

The computers from which the user can log on.

Dial-in Allowed

Indicates whether the account has permission to dial in to the RAS server.

Callback

Indicates whether the Server will call back the user before log on is allowed.

Administrator Sets Callback Nbr

Indicates whether an administrator sets the call-back number.

Caller Sets Callback Nbr

Indicates whether the user is allowed to set the call-back number.

Dial-in Service Type

The dial-in service type.

Dial-in Callback Number

The call-back number.

Calling Station ID

When dialling into the system, the user is restricted to dialling in from this number.

Framed IP Address

Used internally.

Framed Route

Used internally.

Country

The country/region in the address of the user. The country/region is represented as a 2-character code based on ISO-3166.

Profile Path

Specifies a path to the user’s profile.

Script Path

Specifies the path for the user’s logon script.

Home Directory Path

The home directory for the account.

Critical System Object

If Yes: The object hosting this attribute must be replicated during installation of a new replica.

No Auth Data Required

Used internally.

Protected From Accidental Deletion

Indicates whether the account is protected against accidental deletion.

Object Class

The list of classes from which this class is derived.

RID

The relative identifier of the object.

Resultant PSO

The resultant Password Settings Object (PSO) that applies to the user. If blank, the domain accounts policy applies.

For more information see SekChek’s white paper on PSOs.

From SekChek V5.0.9 Build 3.

Pol LockoutDuration

The number of minutes that the account will remain locked when LockoutThreshold is exceeded.

Source: a PSO if column Resultant PSO contains a PSO name; otherwise the Domain Policy.

Pol LockoutObservationWindow

The number of minutes for which invalid logon attempts are monitored. I.e. if the number of failed logon attempts defined in LockoutThreshold is reached within the number of minutes defined for LockoutObservationWindow, the account is locked out for the period specified under LockoutDuration.

Source: a PSO if column Resultant PSO contains a PSO name; otherwise the Domain Policy.

Pol LockoutThreshold

The number of failed logon attempts allowed before the account is locked. A value of 0 (zero) allows an unlimited number of invalid login attempts, which effectively disables the system’s intruder prevention controls.

Source: a PSO if column Resultant PSO contains a PSO name; otherwise the Domain Policy.

Pol MaximumPasswordAge

The maximum number of days a password can be used before the system forces the user to change it. A value of 0 (zero) means that regular password changes are not encforced.

Source: a PSO if column Resultant PSO contains a PSO name; otherwise the Domain Policy.

Pol MinimumPasswordAge

The minimum number of days that must elapse between password changes.

Source: a PSO if column Resultant PSO contains a PSO name; otherwise the Domain Policy.

Pol MinimumPasswordLength

The minimum number of characters that a password must contain.

Source: a PSO if column Resultant PSO contains a PSO name; otherwise the Domain Policy.

Pol PasswordComplexityEnabled

Indicates whether new passwords must comply with Window’s password complexity rules.

Source: a PSO if column Resultant PSO contains a PSO name; otherwise the Domain Policy.

Pol PasswordHistoryLength

The number of old / previous passwords that cannot be used when selecting a new password.

Source: a PSO if column Resultant PSO contains a PSO name; otherwise the Domain Policy.

Pol PasswordReversibleEncryptionEnabled

Determines whether Windows will store passwords using reversible encryption techniques.

Source: a PSO if column Resultant PSO contains a PSO name; otherwise the Domain Policy.

Primary Group ID

The relative identifier (RID) for the primary group of the user.

Created

The date when the object was created.

Changed (NR)

The date when the object was last changed.

This value is not replicated and exists in the global catalog.

About SekChek IPS
SekChek® IPS is a leading provider of computer security review, auditing and benchmarking tools and has served many of the world’s largest companies and public institutions in 140 countries since 1996. SekChek’s clients include security and audit professionals in IT departments, audit firms, internal audit functions, regulatory compliance and corporate governance departments. SekChek’s benchmarking features compare security policies and controls against a unique statistics database containing more than 30 million anonymous and real-life security measurements compiled from 80,000 computer systems across all major industry sectors.

SekChek for..

Popular Downloads..

Popular Links..