There are some user attributes that are are easily visible through the Active Directory Users and Computers GUI, but when it comes to finding and setting them in a bulk/automated way, it’s a little trickier. Specifically, the userAccountControl attribute.
You can see the details of the attribute here, and the types of data this single value can hold:
https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
Here’s an example of how the property looks through PowerShell:
The number is actually cumulative set of binary flags and extracting the individual flags is done with a bitwise AND operation between the UserAccountControl value and the decimal value of each flag.
The function below is a small-scale example that can be used on a single account (or used repeatedly in a loop) to convert the userAccountControl into usable properties with True/False values.
Modify and add the necessary decimal value checks that you require.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
function getUserAccountControl { param($userobject); $accountdisabled = (($userobject.useraccountcontrol -band 2) -eq 2); add-member -inputobject $userobject -name AccountDisabled -value $accountdisabled -membertype noteproperty -force; $passwordnotrequired = (($userobject.useraccountcontrol -band 32) -eq 32); add-member -inputobject $userobject -name PasswordNotRequired -value $passwordnotrequired -membertype noteproperty -force; $passwordneverexpires = (($userobject.useraccountcontrol -band 65536) -eq 65536); add-member -inputobject $userobject -name PasswordNeverExpires -value $passwordneverexpires -membertype noteproperty -force; $passwordexpired = (($userobject.useraccountcontrol -band 8388608) -eq 8388608); add-member -inputobject $userobject -name PasswordExpired -value $passwordexpired -membertype noteproperty -force; } |
To use the function, you need to query AD for a user, and then pass the user object to the function:
|
|
$user = get-aduser "administrator" -properties useraccountcontrol; getUserAccountControl $user; |
Setting these values is a lot easier thanks to the built-in cmdlet Set-ADAccountControl.