One way to do things is to use IADsUser interface(http://msdn.microsoft.com/en-us/library/Aa746340) property "AccountDisabled". Found some info on http://mow001.blogspot.com/2006/09/powershell-rc2-and-active-directory_29.html
But shortly it's like this: $user="LDAP://"+"[user distinguished name]" [user distinguished name] is something like "CN=John Smith,OU=OrgUni1,OU=OrgUnit2,DC=local,DC=domain,DC=org" $ADuser=([ADSI]$user) $AccDis=$ADuser.psbase.invokeget('AccountDisabled') If ($AccDis) { "User is disabled"} else { "User is enabled" } Markko > -----Original Message----- > From: Michael Leone [mailto:oozerd...@gmail.com] > Sent: Wednesday, December 28, 2011 2:01 PM > To: NT System Admin Issues > Subject: Deciphering "UserAccountControl" using PowerShell > > So I know that the AD attribute "UserAccountControl" is the sum of the > values of 21 different values (i.e., so a value of 546 = 2+32+512, which is > composed of the sum of the constants ACCOUNT_DISABLED, > PASSWORD_NOT_REQUIRED, and NORMAL_ACCOUNT). But how do I break > that down in Powershell? For example, I want to do certain actions if a > normal user account is disabled. However, I can't just check for a value of > 514 > (2+512), since - like this example - the value may be different, even tho > this is > an account I want to process. So how do I go about testing for > ACCOUNT_DISABLED within the total value of "UserAccountControl"? > > (in my case, I am planning to examine user home folders, and anyone who is > disabled, move them to a different holding folder. In our case, the user login > is used as the name of the folder, so I just need to match the folder name > with the "sAMAccountName" in AD) > > Thanks ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin