Monday, April 27, 2020

AD user account status

Code to AD properties

value is the addition of codes

reference: 
http://medgarnet.blogspot.com/2010/05/ad-useraccountcontrol-values.html
https://support.microsoft.com/en-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
http://ananthdeodhar.com/php-active-directory-integration-get-useraccountcontrol-attributes/

512 - Enable Account
514 - Disable account (512 + 2)
544 - Account Enabled - Require user to change password at first logon (512 + 32)
4096 - Workstation/server
66048 - Enabled, password never expires (512 + 65536)
66050 - Disabled, password never expires (512 + 2 + 65536)
66080 - Enabled, DONT_EXPIRE_PASSWORD - PASSWD_NOTREQD 
262656 - Smart Card Logon Required
532480 - Domain controller


1 - script
2 - accountdisable
8 - homedir_required
16 - lockout
32 - password_not_reqd
64 - password_cant_change
128 - encrypted_text_pwd_allowed
256 - temp_duplicate_account
512 - normal_account
2048 - interdomain_trust_account
4096 - workstation_trust_account
8192 - server_trust_account
65536 - dont_expire_password
131072 - mns_logon_account
262144 - smartcard_required
524288 - trusted_for_delegation
1048576 - not_delegated
2097152 - use_des_key_only
4194304 - dont_req_preauth
8388608 - password_expired
16777216 - trusted_to_auth_for_delegation

SCRIPT
0x0001
1
ACCOUNTDISABLE
0x0002
2
HOMEDIR_REQUIRED
0x0008
8
LOCKOUT
0x0010
16
PASSWD_NOTREQD
0x0020
32
PASSWD_CANT_CHANGE
0x0040
64
Note You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the "Property flag descriptions" section.
ENCRYPTED_TEXT_PWD_ALLOWED
0x0080
128
TEMP_DUPLICATE_ACCOUNT
0x0100
256
NORMAL_ACCOUNT
0x0200
512
INTERDOMAIN_TRUST_ACCOUNT
0x0800
2048
WORKSTATION_TRUST_ACCOUNT
0x1000
4096
SERVER_TRUST_ACCOUNT
0x2000
8192
DONT_EXPIRE_PASSWORD
0x10000
65536
MNS_LOGON_ACCOUNT
0x20000
131072
SMARTCARD_REQUIRED
0x40000
262144
TRUSTED_FOR_DELEGATION
0x80000
524288
NOT_DELEGATED
0x100000
1048576
USE_DES_KEY_ONLY
0x200000
2097152
DONT_REQ_PREAUTH
0x400000
4194304
PASSWORD_EXPIRED
0x800000
8388608
TRUSTED_TO_AUTH_FOR_DELEGATION
0x1000000
16777216
PARTIAL_SECRETS_ACCOUNT
0x04000000 
67108864

----------------------------------------------------------------------------

PS C:\> Get-ADPrincipalGroupMembership -Identity username| select Name | Where-Object {$_.name -like '*ad group*' -or $_.name -like '*ADNAME*' } | Sort Name

No comments:

Post a Comment