Score:1

Win Event Logs: Undocumented UAC value

cn flag

I was looking through some logs and I found a modification to an AD machine account. The event ID is 4742. The event name is a computer account was changed..

In the log, it shows the changed/modified attributes, in this case it shows the changes are to the UAC values:

Changed Attributes:

    SAM Account Name:   -

    Display Name:       -

    User Principal Name:    -

    Home Directory:     -

    Home Drive:     -

    Script Path:        -

    Profile Path:       -

    User Workstations:  -

    Password Last Set:  -

    Account Expires:        -

    Primary Group ID:   -

    AllowedToDelegateTo:    -

    Old UAC Value:      0x80

    New UAC Value:      0x81

    User Account Control:   

        Account Disabled

    User Parameters:    -

    SID History:        -

    Logon Hours:        -

    DNS Host Name:      -

    Service Principal Names:    -

As shown, it changes the Old_UAC value to 0x81 . The problem is, in the Microsoft documentation, only 0x80 is defined:

ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
Value: 0x80
The user can send an encrypted password.

I cannot find any reference to 0x81. Can anyone shed some light on this?

Score:1
cn flag

UserAccountControl is a bitflags attribute.

0x81 includes both:

ADS_UF_SCRIPT
ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.