One way to do things is to use IADsUser
interface(http://msdn.microsoft.com/en-us/library/Aa746340) property
"AccountDisabled". Found some info on
http://mow001.blogspot.com/2006/09/powershell-rc2-and-active-directory_29.html
But shortly it's like this:
$user="LDAP://"+"[user distinguished name]"
[user distinguished name] is something like "CN=John
Smith,OU=OrgUni1,OU=OrgUnit2,DC=local,DC=domain,DC=org"
$ADuser=([ADSI]$user)
$AccDis=$ADuser.psbase.invokeget('AccountDisabled')
If ($AccDis) { "User is disabled"} else { "User is enabled" }
Markko
> -----Original Message-----
> From: Michael Leone [mailto:oozerd...@gmail.com]
> Sent: Wednesday, December 28, 2011 2:01 PM
> To: NT System Admin Issues
> Subject: Deciphering "UserAccountControl" using PowerShell
>
> So I know that the AD attribute "UserAccountControl" is the sum of the
> values of 21 different values (i.e., so a value of 546 = 2+32+512, which is
> composed of the sum of the constants ACCOUNT_DISABLED,
> PASSWORD_NOT_REQUIRED, and NORMAL_ACCOUNT). But how do I break
> that down in Powershell? For example, I want to do certain actions if a
> normal user account is disabled. However, I can't just check for a value of
> 514
> (2+512), since - like this example - the value may be different, even tho
> this is
> an account I want to process. So how do I go about testing for
> ACCOUNT_DISABLED within the total value of "UserAccountControl"?
>
> (in my case, I am planning to examine user home folders, and anyone who is
> disabled, move them to a different holding folder. In our case, the user login
> is used as the name of the folder, so I just need to match the folder name
> with the "sAMAccountName" in AD)
>
> Thanks
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
