JSI Tip 8071. How can I decode the userAccountControl attribute?


When you user the DSQUERY command to return the userAccountControl attribute, it is returned as a numeric value.

I have scripted userAccountControl.bat to translate this value.

The syntax for using userAccountControl.bat is:

call userAccountControl uac CommaSeparatedString

Where uac is the numeric value of the userAccountControl attribute, and CommaSeparatedString is a call directed environment variable that will contain from 1 through n 'descriptions', separated by commas.

userAccountControl.bat contains:

@echo off
if \{%2\}==\{\} @echo Syntax: call userAccountControl uac CommaSeparatedString&goto :EOF
if "%1" EQU "512" set %2=NORMAL_ACCOUNT&goto :EOF
setlocal
set /a uac=%1
set %2=Unknown
set css=
if %uac% GEQ 16777216 set css=%css%,TRUSTED_TO_AUTH_FOR_DELEGATION&set /a uac=%uac% - 16777216
:GEQ
if %uac% GEQ 16777216 set /a uac=%uac% - 16777216&goto GEQ
if %uac% GEQ 8388608 set css=%css%, PASSWORD_EXPIRED&set /a uac=%uac% - 8388608
if %uac% GEQ 4194304 set css=%css%, DONT_REQ_PREAUTH&set /a uac=%uac% - 4194304
if %uac% GEQ 2097152 set css=%css%, USE_DES_KEY_ONLY&set /a uac=%uac% - 2097152
if %uac% GEQ 1048576 set css=%css%, NOT_DELEGATED&set /a uac=%uac% - 1048576
if %uac% GEQ 524288 set css=%css%, TRUSTED_FOR_DELEGATION&set /a uac=%uac% - 524288
if %uac% GEQ 262144 set css=%css%, SMARTCARD_REQUIRED&set /a uac=%uac% - 262144
if %uac% GEQ 131072 set css=%css%, MNS_LOGON_ACCOUNT&set /a uac=%uac% - 131072
if %uac% GEQ 65536 set css=%css%,DONT_EXPIRE_PASSWD&set /a uac=%uac% - 65536
if %uac% GEQ 32768 set css=%css%,UNKNOWN&set /a uac=%uac% - 32768
if %uac% GEQ 16384 set css=%css%,UNKNOWN&set /a uac=%uac% - 16384
if %uac% GEQ 8192 set css=%css%,SERVER_TRUST_ACCOUNT&set /a uac=%uac% - 8192
if %uac% GEQ 4096 set css=%css%,WORKSTATION_TRUST_ACCOUNT&set /a uac=%uac% - 4096
if %uac% GEQ 2048 set css=%css%,INTERDOMAIN_TRUST_ACCOUNT&set /a uac=%uac% - 2048
if %uac% GEQ 1024 set css=%css%,UNKNOWN&set /a uac=%uac% - 1024
if %uac% GEQ 512 set css=%css%,NORMAL_ACCOUNT&set /a uac=%uac% - 512
if %uac% GEQ 256 set css=%css%,TEMP_DUPLICATE_ACCOUNT&set /a uac=%uac% - 256
if %uac% GEQ 128 set css=%css%,UNKNOWN&set /a uac=%uac% - 128
if %uac% GEQ 64 set css=%css%,PASSWD_CANT_CHANGE&set /a uac=%uac% - 64
if %uac% GEQ 32 set css=%css%,PASSWD_NOTREQD&set /a uac=%uac% - 32
if %uac% GEQ 16 set css=%css%,LOCKOUT&set /a uac=%uac% - 16
if %uac% GEQ 8 set css=%css%,HOMEDIR_REQUIRED&set /a uac=%uac% - 8
if %uac% GEQ 4 set css=%css%,UNKNOWN&set /a uac=%uac% - 4
if %uac% GEQ 2 set css=%css%,ACCOUNTDISABLE&set /a uac=%uac% - 2
if %uac% GEQ 1 set css=%css%,SCRIPT&set /a uac=%uac% - 1
if %uac% NEQ 0 set css=%css%,UNKNOWN
endlocal&set %2=%css:~1%
NOTE: See How do I use the UserAccountControl flags to manipulate user account properties?



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish