Yeah, I don't know exactly what you did, but it works fine, regardless of the
case. I used your example code and it works fine. See below.
Oh.... you left off the properties accessor. That is, you did
$user.userAccountControl.Item( 0 ) instead of
$user.Properties.userAccountControl.Item( 0 ). That's why it failed for you.
$ADS_UF_ACCOUNT_DISABLED = 0x00002
$ADS_UF_NORMAL_ACCOUNT = 0x00200
$UserToFind = "michael.smith"
$Search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$Search.filter = "(&(objectClass=user)(sAMAccountName=$UserToFind))"
$SearchResults=$Search.FindAll()
ForEach ($Result in $SearchResults)
{
$User=$Result.GetDirectoryEntry()
$User.givenName
if ($User.Properties.userAccountControl.Item( 0 ) -band
$ADS_UF_NORMAL_ACCOUNT )
{
Write-Host "Normal user"
}
else
{
Write-Host "Abnormal user"
}
}
Regards,
Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com
-----Original Message-----
From: Michael B. Smith [mailto:[email protected]]
Sent: Thursday, December 29, 2011 2:40 PM
To: NT System Admin Issues
Subject: RE: Deciphering "UserAccountControl" using PowerShell
Huh. Below is working code from a production script. Just for grins and
giggles, can you try it all in lower-case? That is:
$uac = $user.properties.useraccountcontrol.item( 0 )
(And by the way, if an object has a default method, which ADSI objects do,
PowerShell respects those too - that's why you can use "[0]" instead of ".Item(
0 )". The Item() method is the default method.)
$users = $directorySearcher.FindAll()
foreach( $user in $users )
{
line " "
$propertyBag = $user.properties
if( !$propertybag )
{
line "error! null propertybag!"
continue
}
$uacObj = $propertyBag.useraccountcontrol
if( $uacObj )
{
$uac = $uacObj.item( 0 )
}
else
{
line "no uac, assumed 0x200"
$uac = $ADS_UF_NORMAL_ACCOUNT
}
$uacObj = $null
Regards,
Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com
-----Original Message-----
From: Michael Leone [mailto:[email protected]]
Sent: Thursday, December 29, 2011 2:30 PM
To: NT System Admin Issues
Subject: Re: Deciphering "UserAccountControl" using PowerShell
On Wed, Dec 28, 2011 at 3:54 PM, Michael B. Smith <[email protected]> wrote:
> A PropertyValueCollection has to be changed to an Int32. For a singleton like
> userAccountControl, it will typically be something like:
>
> $uac = $user.Properties.userAccountControl.Item( 0 )
That didn't work for me ...
PS Z:\PHA Scripts> .\FindUser.PS1
Method invocation failed because
[System.DirectoryServices.DirectoryEntry] doesn't contain a method
named 'userAccountControl'.
At Z:\PHA Scripts\FindUser.PS1:22 char:33
+ $uac = $User.userAccountControl <<<< (0)
+ CategoryInfo : InvalidOperation:
(userAccountControl:String) [], RuntimeException
+ FullyQualifiedErrorId : MethodNotFound
-------------------------
Doing this, did work:
$uac = $User.userAccountControl[0]
(note square brackets, not parens.
>
> Regards,
>
> Michael B. Smith
> Consultant and Exchange MVP
> http://TheEssentialExchange.com
>
>
> -----Original Message-----
> From: Michael Leone [mailto:[email protected]]
> Sent: Wednesday, December 28, 2011 3:18 PM
> To: NT System Admin Issues
> Subject: Re: Deciphering "UserAccountControl" using PowerShell
>
> On Wed, Dec 28, 2011 at 2:44 PM, Ben Scott <[email protected]> wrote:
>
>> Do a bitwise AND between the candidate user's value and ACCOUNT_DISABLED.
>>
>> I'm only on page 143 of "PowerShell in Action", and haven't gotten
>> to bitwise operators yet, but Google results suggest this should work:
>>
>> if ($user.UserAccountControl -band $ACCOUNT_DISABLED) { ...
>
> Not working for me ... here's the script, and if fails on that IF ...
>
> $ADS_UF_ACCOUNTDISABLED = 0x00002
> $ADS_UF_NORMAL_ACCOUNT = 0x00200
> $UserToFind = "leonem"
> $Search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
> $Search.filter = "(&(objectClass=user)(sAMAccountName=$UserToFind))"
> $SearchResults=$Search.FindAll()
>
> ForEach ($Result in $SearchResults) {
> $User=$Result.GetDirectoryEntry()
> $User.givenName
> if ($User.userAccountControl -band $ADS_UF_NORMAL_ACCOUNT )
> {
> Write-Host "Normal user"
> }
> else
> {
> Write-Host "Abnormal user"
> }
> }
>
> PS Z:\PHA Scripts> .\FindUser.PS1
> Michael
> The '-band' operator failed: Cannot convert the
> "System.DirectoryServices.PropertyValueCollection" value of type
> "System.DirectoryServices.PropertyValueCollection" to type
> "System.Int32"..
> At Z:\PHA Scripts\FindUser.PS1:11 char:36
> + if ($User.userAccountControl -band <<<< $ADS_UF_NORMAL_ACCOUNT )
> + CategoryInfo : InvalidOperation: (:) [], RuntimeException
> + FullyQualifiedErrorId : OperatorFailed
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin
>
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
