Anyone who wants to write scripts for Active Directory will eventually run into the famous userAccountControl attribute. Usually this comes up when you are searching for disabled accounts. Actually this attribute is a bit flag for 22 different account settings! You can find them clearly documented in KB305144. In the GUI you find these settings represented by checkboxes in Active Directory Users and Computers (ADUC) (pictured right).
I’ve done my share of VBScripts over the last 10 years, and this always took more lines of code than I wanted to write. In this example on the Hey Scripting Guy blog you can see it would take 14 lines of code to report on disabled accounts. To make matters worse you had to understand LDAP bitwise filter syntax. In an earlier post I demonstrated this syntax for querying AD based on a bit value.
The good news is that in Windows Server 2008 R2 and above we have two cmdlets that make this easy.
With the Active Directory module for PowerShell and the Search-ADAccount cmdlet those 14 lines of VBScript turn into a single line:
PS C:\> Search-ADAccount -AccountDisabled
To limit the results to users or computers you can try one of these handy switches:
PS C:\> Search-ADAccount –AccountDisabled –UsersOnly
PS C:\> Search-ADAccount –AccountDisabled –ComputersOnly
The Search-ADAccount cmdlet has several switches that target the userAccountControl bit flags:
Now we don’t have to fuss with all of the fancy LDAP syntax.
The Set-ADAccountControl cmdlet gives us 12 switches to toggle these checkboxes via script:
Now you can turn the flags on and off like this:
PS C:\> Set-ADAccountControl JoeUser –PasswordNeverExpires $true
PS C:\> Set-ADAccountControl JoeUser –PasswordNeverExpires $false
Wow! Now that was easy.
If you would like to have me or another Microsoft PFE visit your company and assist with the ideas presented in this blog post, then contact your Microsoft Premier Technical Account Manager (TAM) for booking information.
For more information about becoming a Microsoft Premier customer email PremSale@microsoft.com. Tell them GoateePFE sent you.
thanks for this article. It helps to get all the cool stuff sorted :-)
very nice and makes my life easier.
Unfortunately i get an unspecific error if i try to search for all locket out users.(searchADAccount -lockedout):
Can you explain your scenario more? I cannot reproduce that error in my lab. What OS is your client and server? Thanks.
AD Domaincontrollers W2k8R2, Forest/Domain Functionlevel 2003
I tried the command on my 2008R2 Admin Server and on the DC itsself.
I think there are values in the lockouttime Attribute that bring an exception with this cmdlet. But i don't know wich values.
Heres the whole errormessage:
Search-ADAccount : Ungültige Win32-FileTime.
In Zeile:1 Zeichen:1
+ Search-ADAccount -LockedOut
+ CategoryInfo : InvalidArgument: (:) [Search-ADAccount], ArgumentOutOfRangeException
+ FullyQualifiedErrorId : Ungültige Win32-FileTime.
I am trying to search by UseDESKeyOnly. It doesn't seem to be an option with Search-ADAccoun and there does not seem to be a Set-ADAccountControl cmdlet. Any ideas?
To find users with the DES flag use this:
Get-ADUser -LDAPFilter '(userAccountControl:1.2.840.1135188.8.131.523:=2097152)'
Get-ADUser -Filter 'userAccountControl -band 2097152'
See this post for an explanation of LDAP bitwise filters: