SA-ldapsearch (Splunk Supporting Add-on for Active Directory) has a useful feature that parses “userAccountControl” flags into a multivalue. For example, instead of showing “514”, it shows [ACCOUNTDISABLE, NORMAL_ACCOUNT] instead. However, I noticed LOCKOUT and PASSWORD_EXPIRED flags are not shown even though I was sure the accounts I queried have either of those flags set. Those flags are indeed listed under documentations for “userAccountControl”: Windows Server and Active Directory Schema.
Despite being mentioned in the documentations, in that Windows Server doc, there is a note that says those flags have been moved to “msDS-User-Account-Control-Computed“ attribute since Windows Server 2003. But when I queried that attribute, I got a decimal value which meant the parsing function was not applied.
To apply flag-parsing function on “msDS-User-Account-Control-Computed”:
SA-ldapsearch/bin/packages/app/formatting_extensions.py'1.2.840.113556.1.4.8': format_user_flag_enum, # User-Account-Control
'1.2.840.113556.1.4.1460': format_user_flag_enum, # ms-DS-User-Account-Control-ComputedFirst line is an existing one, the second line is the new one.
For the sake of completeness, that function can also be patched to parse other flags of “msDS-User-Account-Control-Computed”. I created a script to apply the following patch directly on “splunk-supporting-add-on-for-active-directory_*.tgz“ and save it to a new app package “SA-ldapsearch_*.tgz”.
--- SA-ldapsearch/bin/packages/app/formatting_extensions.py 2023-09-06 00:00:00.000000000 +0000
+++ SA-ldapsearch/bin/packages/app/formatting_extensions.py 2023-09-06 00:00:00.000000001 +0000
@@ -721,6 +721,12 @@
names.append('PASSWORD_EXPIRED')
if flags & 0x1000000:
names.append('TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION')
+ if flags & 0x2000000:
+ names.append('NO_AUTH_DATA_REQUIRED')
+ if flags & 0x4000000:
+ names.append('PARTIAL_SECRETS_ACCOUNT')
+ if flags & 0x8000000:
+ names.append('USE_AES_KEYS')
# Zero or one of these flags may be set
@@ -822,6 +828,7 @@
'1.2.840.113556.1.4.1303': format_sid, # Token-Groups-No-GC-Acceptable
'1.2.840.113556.1.4.8': format_user_flag_enum, # User-Account-Control
+ '1.2.840.113556.1.4.1460': format_user_flag_enum, # ms-DS-User-Account-Control-Computed
# formatter specially for msExchMailboxSecurityDescriptor
'1.2.840.113556.1.4.7000.102.80' : format_security_descriptor, # msExchMailboxSecurityDescriptor