Powershell Active Directory Account Attribute to a variable

Question

Sorry for the newbie question. I am using Powershell 3 to get a list of all user accounts. I am trying to generate an output for accounts, either \"Enabled\" or \"Disabled\". I

Answer 1

The userAccountControl attribute is a bitmap, which means that each bit in the number represents a true (1) or false (0) value. Here is an example:

$ADS_UF_ACCOUNTDISABLE = 2
...
$accountDisabled = ($userObject.Properties["useraccountcontrol"][0] -band $_ADS_UF_ACCOUNTDISABLE) -ne 0

In this example the variable $accountDisabled will contain $TRUE if the account is disabled, or $FALSE otherwise. To check any other bits in the userAccountControl attribute, use the flag values documented at http://msdn.microsoft.com/en-us/library/windows/desktop/aa772300.aspx and combine with -band operator as in this example. If not zero (-ne 0), the bit is set; if zero (-eq 0), the bit is not set. Another example would be to check if the "password never expires" bit is set; you could use code like this:

$ADS_UF_DONT_EXPIRE_PASSWD = 65536
...
$neverExpires = ($userObject.Properties["useraccountcontrol"][0] -band $ADS_UF_DONT_EXPIRE_PASSWD) -ne 0