Geeks With Blogs

Lance's TextBox » About Me » My Resume »Twitter

The userAccountControl attribute is used to control the access of a user account.  This value can be set to the bitwise OR of a set of flag values, documented here:

 

Property flag Value in hexadecimal Value in decimal
SCRIPT 0x0001 1
ACCOUNTDISABLE 0x0002 2
HOMEDIR_REQUIRED 0x0008 8
LOCKOUT 0x0010 16
PASSWD_NOTREQD 0x0020 32
PASSWD_CANT_CHANGE
Note You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the "Property flag descriptions" section.
0x0040 64
ENCRYPTED_TEXT_PWD_ALLOWED 0x0080 128
TEMP_DUPLICATE_ACCOUNT 0x0100 256
NORMAL_ACCOUNT 0x0200 512
INTERDOMAIN_TRUST_ACCOUNT 0x0800 2048
WORKSTATION_TRUST_ACCOUNT 0x1000 4096
SERVER_TRUST_ACCOUNT 0x2000 8192
DONT_EXPIRE_PASSWORD 0x10000 65536
MNS_LOGON_ACCOUNT 0x20000 131072
SMARTCARD_REQUIRED 0x40000 262144
TRUSTED_FOR_DELEGATION 0x80000 524288
NOT_DELEGATED 0x100000 1048576
USE_DES_KEY_ONLY 0x200000 2097152
DONT_REQ_PREAUTH 0x400000 4194304
PASSWORD_EXPIRED 0x800000 8388608
TRUSTED_TO_AUTH_FOR_DELEGATION 0x1000000 16777216

So the value of the userAccountControl attribute can be described in PowerShell as the -bor (binary or) of these flags.  A user with the "NORMAL_ACCOUNT" and "DONT_EXPIRE_PASSWORD" flags set would be expressed in PowerShell as 512 -bor 65536 (which equals 66048).

So to make a user account a normal account with a non-expiring password in PowerShell, you can use NetCmdlets set-ldap like so:

 

PS C:\> set-ldap -server testboy -cred $mycred -dn "CN=Lance Robinson,CN=Users,DC=JUNGLE" 
-attrtype userAccountControl -attrvalue "66048" -replaceattribute Host : testboy DN : CN=Lance Robinson,CN=Users,DC=JUNGLE Successful : True Type : userAccountControl Value : 66048 PS C:\>

 

To disable an account, just -bor 2 with whatever the existing value already is.

Posted on Wednesday, August 22, 2007 1:22 PM PowerShell | Back to top


Comments on this post: LDAP PowerShell User Account Control

No comments posted yet.
Your comment:
 (will show your gravatar)


Copyright © Lance Robinson | Powered by: GeeksWithBlogs.net