How do I unpack the userAccountControl property in Active Directory?

There are some user attributes that are are easily visible through the Active Directory Users and Computers GUI, but when it comes to finding and setting them in a bulk/automated way, it’s a little trickier.  Specifically, the userAccountControl attribute.

You can see the details of the attribute here, and the types of data this single value can hold:


Here’s an example of how the property looks through PowerShell:


The number is actually cumulative set of binary flags and extracting the individual flags is done with a bitwise AND operation between the UserAccountControl value and the decimal value of each flag.

The function below is a small-scale example that can be used on a single account (or used repeatedly in a loop) to convert the userAccountControl into usable properties with True/False values.

Modify and add the necessary decimal value checks that you require.



To use the function, you need to query AD for a user, and then pass the user object to the function:


Setting these values is a lot easier thanks to the built-in cmdlet Set-ADAccountControl.


Leave a Reply

Your email address will not be published. Required fields are marked *