How do I unpack the userAccountControl property in Active Directory?

There are some user attributes that are are easily visible through the Active Directory Users and Computers GUI, but when it comes to finding and setting them in a bulk/automated way, it’s a little trickier. Specifically, the userAccountControl attribute.

You can see the details of the attribute here, and the types of data this single value can hold:

https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties

Here’s an example of how the property looks through PowerShell:

The number is actually cumulative set of binary flags and extracting the individual flags is done with a bitwise AND operation between the UserAccountControl value and the decimal value of each flag.

The function below is a small-scale example that can be used on a single account (or used repeatedly in a loop) to convert the userAccountControl into usable properties with True/False values.

Modify and add the necessary decimal value checks that you require.

function getUserAccountControl {

    param($userobject);

    $accountdisabled = (($userobject.useraccountcontrol -band 2) -eq 2);
    add-member -inputobject $userobject -name AccountDisabled -value $accountdisabled -membertype noteproperty -force;

    $passwordnotrequired = (($userobject.useraccountcontrol -band 32) -eq 32);
    add-member -inputobject $userobject -name PasswordNotRequired -value $passwordnotrequired -membertype noteproperty -force;
    
    $passwordneverexpires = (($userobject.useraccountcontrol -band 65536) -eq 65536);
    add-member -inputobject $userobject -name PasswordNeverExpires -value $passwordneverexpires -membertype noteproperty -force;

    $passwordexpired = (($userobject.useraccountcontrol -band 8388608) -eq 8388608);
    add-member -inputobject $userobject -name PasswordExpired -value $passwordexpired -membertype noteproperty -force;

}

function getUserAccountControl {

param($userobject);

$accountdisabled = (($userobject.useraccountcontrol -band 2) -eq 2);

add-member -inputobject $userobject -name AccountDisabled -value $accountdisabled -membertype noteproperty -force;

$passwordnotrequired = (($userobject.useraccountcontrol -band 32) -eq 32);

add-member -inputobject $userobject -name PasswordNotRequired -value $passwordnotrequired -membertype noteproperty -force;

$passwordneverexpires = (($userobject.useraccountcontrol -band 65536) -eq 65536);

add-member -inputobject $userobject -name PasswordNeverExpires -value $passwordneverexpires -membertype noteproperty -force;

$passwordexpired = (($userobject.useraccountcontrol -band 8388608) -eq 8388608);

add-member -inputobject $userobject -name PasswordExpired -value $passwordexpired -membertype noteproperty -force;

}

To use the function, you need to query AD for a user, and then pass the user object to the function:

$user = get-aduser "administrator" -properties useraccountcontrol;
getUserAccountControl $user;

1 2	$user = get-aduser "administrator" -properties useraccountcontrol; getUserAccountControl $user;

Setting these values is a lot easier thanks to the built-in cmdlet Set-ADAccountControl.

HKEY_LOCAL_MACHINE

Every problem is an opportunity.

How do I unpack the userAccountControl property in Active Directory?

Leave a Reply Cancel reply