Re: Deciphering "UserAccountControl" using PowerShell

[Mike Leone]

On 12/29/2011 2:54 PM, Michael B. Smith wrote:
Yeah, I don't know exactly what you did, but it works fine, regardless of the 
case. I used your example code and it works fine. See below.
Oh.... you left off the properties accessor. That is, you did 
$user.userAccountControl.Item( 0 ) instead of 
$user.Properties.userAccountControl.Item( 0 ). That's why it failed for you.

Yeah, I just now noticed that. I'm an idiot. But then, you probably knew 
that already ... LOL

Thanks. I'll make note of that. I'm learning this on my own, rather than 
with a class or book (yet), so I'm not as grounded as I could/should be ...


$ADS_UF_ACCOUNT_DISABLED         =       0x00002
$ADS_UF_NORMAL_ACCOUNT        =       0x00200
$UserToFind = "michael.smith"
$Search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$Search.filter = "(&(objectClass=user)(sAMAccountName=$UserToFind))"
$SearchResults=$Search.FindAll()

ForEach ($Result in $SearchResults)
{
        $User=$Result.GetDirectoryEntry()
        $User.givenName
        if ($User.Properties.userAccountControl.Item( 0 ) -band 
$ADS_UF_NORMAL_ACCOUNT )
                {
                        Write-Host "Normal user"
                }
        else
                {
                        Write-Host "Abnormal user"
                }
}


Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-----Original Message-----
From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Thursday, December 29, 2011 2:40 PM
To: NT System Admin Issues
Subject: RE: Deciphering "UserAccountControl" using PowerShell

Huh. Below is working code from a production script. Just for grins and 
giggles, can you try it all in lower-case? That is:

        $uac = $user.properties.useraccountcontrol.item( 0 )

(And by the way, if an object has a default method, which ADSI objects do, PowerShell respects 
those too - that's why you can use "[0]" instead of ".Item( 0 )". The Item() 
method is the default method.)

$users = $directorySearcher.FindAll()
foreach( $user in $users )
{
        line " "
        $propertyBag = $user.properties
        if( !$propertybag )
        {
                line "error! null propertybag!"
                continue
        }

        $uacObj = $propertyBag.useraccountcontrol
        if( $uacObj )
        {
                $uac = $uacObj.item( 0 )
        }
        else
        {
                line "no uac, assumed 0x200"
                $uac = $ADS_UF_NORMAL_ACCOUNT
        }
        $uacObj = $null


Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-----Original Message-----
From: Michael Leone [mailto:oozerd...@gmail.com]
Sent: Thursday, December 29, 2011 2:30 PM
To: NT System Admin Issues
Subject: Re: Deciphering "UserAccountControl" using PowerShell

On Wed, Dec 28, 2011 at 3:54 PM, Michael B. Smith<mich...@smithcons.com>  wrote:
A PropertyValueCollection has to be changed to an Int32. For a singleton like 
userAccountControl, it will typically be something like:

$uac = $user.Properties.userAccountControl.Item( 0 )

That didn't work for me ...

PS Z:\PHA Scripts>  .\FindUser.PS1

Method invocation failed because
[System.DirectoryServices.DirectoryEntry] doesn't contain a method
named 'userAccountControl'.
At Z:\PHA Scripts\FindUser.PS1:22 char:33
+     $uac = $User.userAccountControl<<<<  (0)
     + CategoryInfo          : InvalidOperation:
(userAccountControl:String) [], RuntimeException
     + FullyQualifiedErrorId : MethodNotFound

-------------------------

Doing this, did work:

        $uac = $User.userAccountControl[0]

(note square brackets, not parens.


Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-----Original Message-----
From: Michael Leone [mailto:oozerd...@gmail.com]
Sent: Wednesday, December 28, 2011 3:18 PM
To: NT System Admin Issues
Subject: Re: Deciphering "UserAccountControl" using PowerShell

On Wed, Dec 28, 2011 at 2:44 PM, Ben Scott<mailvor...@gmail.com>  wrote:

  Do a bitwise AND between the candidate user's value and ACCOUNT_DISABLED.

  I'm only on page 143 of "PowerShell in Action", and haven't gotten
to bitwise operators yet, but Google results suggest this should work:

if ($user.UserAccountControl -band $ACCOUNT_DISABLED) { ...

Not working for me ... here's the script, and if fails on that IF ...

$ADS_UF_ACCOUNTDISABLED         =       0x00002
$ADS_UF_NORMAL_ACCOUNT        =       0x00200
$UserToFind = "leonem"
$Search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$Search.filter = "(&(objectClass=user)(sAMAccountName=$UserToFind))"
$SearchResults=$Search.FindAll()

ForEach ($Result in $SearchResults) {
        $User=$Result.GetDirectoryEntry()
        $User.givenName
        if ($User.userAccountControl -band $ADS_UF_NORMAL_ACCOUNT )
                {
                        Write-Host "Normal user"
                }
        else
                {
                        Write-Host "Abnormal user"
                }
}

PS Z:\PHA Scripts>  .\FindUser.PS1
Michael
The '-band' operator failed: Cannot convert the
"System.DirectoryServices.PropertyValueCollection" value of type
"System.DirectoryServices.PropertyValueCollection" to type
"System.Int32"..
At Z:\PHA Scripts\FindUser.PS1:11 char:36
+     if ($User.userAccountControl -band<<<<    $ADS_UF_NORMAL_ACCOUNT )
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : OperatorFailed

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>    ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>    ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin