This is a free dev tool TechJutsu is providing to Identity & Access Management Developers to give back to the community.

​

The UAC Decoder is a tool that converts the encoded value stored in the Microsoft Active Directory attribute: “userAccountControl” to individuals flags that an Identity specialist can read and understand.

 

The “userAccountControl” attribute in Microsoft AD relates to Identity Management (and Okta specifically) because it contains attributes that directly related to the imported AD accounts.

Of note, these attribute specifically have the following consequences in relation to Okta’s platform:

 

• ACCOUNTDISABLE: When this flag is enabled, Okta does NOT import the account into an Okta profile.

  • If an account was previously imported into Okta and the AD account is later disabled then the corresponding Okta profile will be DEACTIVATED

  • If Okta provisioning downstream to AD is configured and the Okta profile is DEACTIVATED then the corresponding AD account will also be DISABLED

• LOCKOUT: This flag will be enabled when a users password has been attempted more than the configured lockout attempts

• PASSWORD_EXPIRED: If this flag is enabled (and the appropriate Okta policies are configured) then the next Okta logon using delegated authentication will result in prompting the end-user to change their expired password

​

Converting this value allows administrators/IDM specialists to determine account issues such as:

 

• Why the account is not being imported into Okta even though the correct OU (Organizational Unit) is selected

• Whether the AD account was successfully disabled when the Okta profile was deactivated. Important for auditing LCM (Lifecycle management) event such as off-boarding

• And more…