userAccountControl in Active Directory

Question

I want to know the current value of the userAccountControl and determine which stage it is in

Ref: http://support.microsoft.com/kb/305144/en-us

According to th

Answer 1

You can easily decode this by converting your result to an enum.

int userAccountControlValue = 544;
UserAccountControl userAccountControl = (UserAccountControl) userAccountControlValue;

// This gets a comma separated string of the flag names that apply.
string userAccountControlFlagNames = userAccountControl.ToString();

// This is how you test for an individual flag.
bool isNormalAccount = (userAccountControl & UserAccountControl.NORMAL_ACCOUNT) == UserAccountControl.NORMAL_ACCOUNT;
bool isAccountDisabled = (userAccountControl & UserAccountControl.ACCOUNTDISABLE) == UserAccountControl.ACCOUNTDISABLE;
bool isAccountLockedOut = (userAccountControl & UserAccountControl.LOCKOUT) == UserAccountControl.LOCKOUT;

Here's the enum definition that you want:

/// 

/// Flags that control the behavior of the user account.
/// 
[Flags()]
public enum UserAccountControl : int
{
    /// 

    /// The logon script is executed. 
    ///
    SCRIPT = 0x00000001,

    /// 

    /// The user account is disabled. 
    ///
    ACCOUNTDISABLE = 0x00000002,

    /// 

    /// The home directory is required. 
    ///
    HOMEDIR_REQUIRED = 0x00000008,

    /// 

    /// The account is currently locked out. 
    ///
    LOCKOUT = 0x00000010,

    /// 

    /// No password is required. 
    ///
    PASSWD_NOTREQD = 0x00000020,

    /// 

    /// The user cannot change the password. 
    ///
    /// 
    /// Note:  You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. 
    /// For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
    // 
    PASSWD_CANT_CHANGE = 0x00000040,

    /// 

    /// The user can send an encrypted password. 
    ///
    ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x00000080,

    /// 

    /// This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not 
    /// to any domain that trusts this domain. Also known as a local user account. 
    ///
    TEMP_DUPLICATE_ACCOUNT = 0x00000100,

    /// 

    /// This is a default account type that represents a typical user. 
    ///
    NORMAL_ACCOUNT = 0x00000200,

    /// 

    /// This is a permit to trust account for a system domain that trusts other domains. 
    ///
    INTERDOMAIN_TRUST_ACCOUNT = 0x00000800,

    /// 

    /// This is a computer account for a computer that is a member of this domain. 
    ///
    WORKSTATION_TRUST_ACCOUNT = 0x00001000,

    /// 

    /// This is a computer account for a system backup domain controller that is a member of this domain. 
    ///
    SERVER_TRUST_ACCOUNT = 0x00002000,

    /// 

    /// Not used. 
    ///
    Unused1 = 0x00004000,

    /// 

    /// Not used. 
    ///
    Unused2 = 0x00008000,

    /// 

    /// The password for this account will never expire. 
    ///
    DONT_EXPIRE_PASSWD = 0x00010000,

    /// 

    /// This is an MNS logon account. 
    ///
    MNS_LOGON_ACCOUNT = 0x00020000,

    /// 

    /// The user must log on using a smart card. 
    ///
    SMARTCARD_REQUIRED = 0x00040000,

    /// 

    /// The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service 
    /// can impersonate a client requesting the service. 
    ///
    TRUSTED_FOR_DELEGATION = 0x00080000,

    /// 

    /// The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation. 
    ///
    NOT_DELEGATED = 0x00100000,

    /// 

    /// Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys. 
    ///
    USE_DES_KEY_ONLY = 0x00200000,

    /// 

    /// This account does not require Kerberos pre-authentication for logon. 
    ///
    DONT_REQUIRE_PREAUTH = 0x00400000,

    /// 

    /// The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy. 
    ///
    PASSWORD_EXPIRED = 0x00800000,

    /// 

    /// The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly 
    /// controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to 
    /// other remote servers on the network.
    ///
    TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x01000000,

    /// 

    /// 
    /// 
    PARTIAL_SECRETS_ACCOUNT = 0x04000000,

    /// 

    /// 
    /// 
    USE_AES_KEYS = 0x08000000
}