UAC Flags Reference
The OldUacValue and NewUacValue fields in Microsoft-Windows-Security-Auditing events 4738 and 4720 are hexadecimal bitmasks representing the Active Directory userAccountControl attribute. Each bit maps to an account property. When an account is modified, comparing the old and new values reveals exactly which flags changed.
UAC Flags#
21 flags
| Bit | Flag | Description |
|---|---|---|
| 0x00000001 | SCRIPT | Logon script will be run |
| 0x00000002 | ACCOUNTDISABLE | Account is disabled |
| 0x00000008 | HOMEDIR_REQUIRED | Home directory is required |
| 0x00000010 | LOCKOUT | Account is locked out |
| 0x00000020 | PASSWD_NOTREQD | No password required |
| 0x00000040 | PASSWD_CANT_CHANGE | User cannot change password |
| 0x00000080 | ENCRYPTED_TEXT_PWD_ALLOWED | Reversible encryption password storage allowed |
| 0x00000100 | TEMP_DUPLICATE_ACCOUNT | Local account for users with a primary account in another domain |
| 0x00000200 | NORMAL_ACCOUNT | Default account type for typical users |
| 0x00000800 | INTERDOMAIN_TRUST_ACCOUNT | Trust account for a system domain that trusts other domains |
| 0x00001000 | WORKSTATION_TRUST_ACCOUNT | Computer account for a workstation or server |
| 0x00002000 | SERVER_TRUST_ACCOUNT | Computer account for a domain controller |
| 0x00010000 | DONT_EXPIRE_PASSWORD | Password never expires |
| 0x00020000 | MNS_LOGON_ACCOUNT | Majority Node Set logon account |
| 0x00040000 | SMARTCARD_REQUIRED | Smart card required for interactive logon |
| 0x00080000 | TRUSTED_FOR_DELEGATION | Account is trusted for Kerberos unconstrained delegation |
| 0x00100000 | NOT_DELEGATED | Account cannot be delegated |
| 0x00200000 | USE_DES_KEY_ONLY | Restrict to DES encryption types only |
| 0x00400000 | DONT_REQ_PREAUTH | Kerberos pre-authentication is not required |
| 0x00800000 | PASSWORD_EXPIRED | Password has expired |
| 0x01000000 | TRUSTED_TO_AUTH_FOR_DELEGATION | Account is trusted for constrained delegation (protocol transition / S4U2Self) |
| 0x04000000 | PARTIAL_SECRETS_ACCOUNT | Read-Only Domain Controller (RODC) account |
Commonly Monitored Flags#
The following flag changes are frequently targeted in detection rules due to their security impact:
| Flag | Risk | Common Detection |
|---|---|---|
DONT_REQ_PREAUTH | Enables AS-REP Roasting: attacker can request a ticket encrypted with the user's hash without pre-authentication | Alert on any event 4738 that adds this flag |
TRUSTED_FOR_DELEGATION | Unconstrained delegation: any service ticket to this account includes the user's TGT, enabling impersonation | Alert on non-DC accounts gaining this flag |
PASSWD_NOTREQD | Account can have an empty password | Alert on any event that sets this flag on active accounts |
DONT_EXPIRE_PASSWORD | Persistent credential: password never rotates | Monitor for this combined with service accounts or privileged accounts |
ACCOUNTDISABLE | Removing this flag re-enables a disabled account | Alert when previously disabled accounts are re-enabled unexpectedly |
USE_DES_KEY_ONLY | Forces weak DES encryption for Kerberos | Alert on this flag being set: may indicate Kerberoast setup |
TRUSTED_TO_AUTH_FOR_DELEGATION | Constrained delegation with protocol transition: allows S4U2Self impersonation | Alert on non-service accounts gaining this flag |
PARTIAL_SECRETS_ACCOUNT | RODC account: limited secret replication | Unexpected accounts with this flag may indicate RODC compromise |
How to Decode a Change#
The old and new UAC values are hex bitmasks. XOR them to find which bits changed:
OldUacValue: 0x10200 (NORMAL_ACCOUNT | DONT_EXPIRE_PASSWORD)
NewUacValue: 0x410200 (NORMAL_ACCOUNT | DONT_EXPIRE_PASSWORD | DONT_REQ_PREAUTH)
Changed = 0x10200 XOR 0x410200 = 0x400000 → DONT_REQ_PREAUTH was added
To determine whether a flag was added or removed, check whether the bit is set in the new value:
- Bit present in
NewUacValuebut notOldUacValue→ flag was added - Bit present in
OldUacValuebut notNewUacValue→ flag was removed
Related Events#
- Microsoft-Windows-Security-Auditing Event ID 4738: A user account was changed
- Microsoft-Windows-Security-Auditing Event ID 4720: A user account was created
- Microsoft-Windows-Security-Auditing Event ID 4722: A user account was enabled
- Microsoft-Windows-Security-Auditing Event ID 4725: A user account was disabled
- Microsoft-Windows-Security-Auditing Event ID 4726: A user account was deleted