More userAccountControl Flag Fun (Convert-ToUACFlag.ps1)
A question on the NG made me think about this. While I personally prefer the decimal that comes from userAccountControl, others may prefer to actually see the FLAGS that are set.
Here is the script I came up with. It will output and array by default, but -toString will output a “,” delimited string.
It has a great -help function with -verbose output that explains each UAC Flag
Convert-ToUACFlag.ps1
Param([int]$uac,[switch]$ToString,[switch]$help,[switch]$verbose)
function HelpMe{
Write-Host
Write-Host " Convert-ToUACFlag.ps1:" -fore Green
Write-Host " Converts UAC from Decimal or Hex to User Account Control Flags (described verbose help)"
Write-Host
Write-Host " Parameters:" -fore Green
Write-Host " -UAC : Parameter User Account Control Value"
Write-Host " -toString : [SWITCH] Output to String instead of Array"
Write-Host " -Help : [SWITCH] Displays This"
Write-Host " -Verbose : [SWITCH] Displays This and User Account Control Definitions"
Write-Host
Write-Host " Examples:" -fore Green
Write-Host " Convert to Flag getting back array" -fore White
Write-Host " .\Convert-ToUACFlag.ps1 69649" -fore Yellow
Write-Host " Convert to Flag getting back string" -fore White
Write-Host " .\Convert-ToUACFlag.ps1 69649 -toString" -fore Yellow
Write-Host
if($verbose)
{
Write-Host " User Account Control Flags and Definition" -fore Green
Write-Host " + SCRIPT" -fore Yellow
Write-Host " - The logon script will be run."
Write-Host
Write-Host " + ACCOUNTDISABLE" -fore Yellow
Write-Host " - The user account is disabled."
Write-Host
Write-Host " + HOMEDIR_REQUIRED" -fore Yellow
Write-Host " - The home folder is required."
Write-Host
Write-Host " + PASSWD_NOTREQD" -fore Yellow
Write-Host " - No password is required."
Write-Host
Write-Host " + PASSWD_CANT_CHANGE" -fore Yellow
Write-Host " - The user cannot change the password."
Write-Host " - This is a permission on the user’s object."
Write-Host
Write-Host " + ENCRYPTED_TEXT_PASSWORD_ALLOWED" -fore Yellow
Write-Host " - The user can send an encrypted password."
Write-Host
Write-Host " + TEMP_DUPLICATE_ACCOUNT" -fore Yellow
Write-Host " - This is an account for users whose primary account is in another domain."
Write-Host " - This account provides user access to this domain,"
Write-Host " but not to any domain that trusts this domain."
Write-Host " - This is sometimes referred to as a local user account."
Write-Host
Write-Host " + NORMAL_ACCOUNT" -fore Yellow
Write-Host " - This is a default account type that represents a typical user."
Write-Host
Write-Host " + INTERDOMAIN_TRUST_ACCOUNT" -fore Yellow
Write-Host " - This is a permit to trust an account for a system domain that trusts other domains."
Write-Host
Write-Host " + WORKSTATION_TRUST_ACCOUNT" -fore Yellow
Write-Host " - This is a computer account for a computer that is running"
Write-Host " - Microsoft Windows NT 4.0 and above and is a member of this domain."
Write-Host
Write-Host " + SERVER_TRUST_ACCOUNT" -fore Yellow
Write-Host " - This is a computer account for a domain controller that is a member of this domain."
Write-Host
Write-Host " + DONT_EXPIRE_PASSWD" -fore Yellow
Write-Host " - Represents the password, which should never expire on the account."
Write-Host
Write-Host " + MNS_LOGON_ACCOUNT" -fore Yellow
Write-Host " - This is an MNS logon account."
Write-Host
Write-Host " + SMARTCARD_REQUIRED" -fore Yellow
Write-Host " - When this flag is set, it forces the user to log on by using a smart card."
Write-Host
Write-Host " + TRUSTED_FOR_DELEGATION" -fore Yellow
Write-Host " - When this flag is set, the service account (the user or computer account)"
Write-Host " under which a service runs is trusted for Kerberos delegation."
Write-Host " - Any such service can impersonate a client requesting the service."
Write-Host " - To enable a service for Kerberos delegation, you must set this flag on the"
Write-Host " userAccountControl property of the service account."
Write-Host
Write-Host " + NOT_DELEGATED" -fore Yellow
Write-Host " - When this flag is set, the security context of the user is not delegated to"
Write-Host " a service even if the service account is set as trusted for Kerberos delegation."
Write-Host
Write-Host " + USE_DES_KEY_ONLY" -fore Yellow
Write-Host " - (Windows 2000/Windows Server 2003) Restrict this principal to use only"
Write-Host " Data Encryption Standard (DES) encryption types for keys."
Write-Host
Write-Host " + DONT_REQUIRE_PREAUTH" -fore Yellow
Write-Host " - (Windows 2000/Windows Server 2003) This account does not require"
Write-Host " Kerberos pre+authentication for logging on."
Write-Host
Write-Host " + PASSWORD_EXPIRED" -fore Yellow
Write-Host " - (Windows 2000/Windows Server 2003) The user’s password has expired."
Write-Host
Write-Host " + TRUSTED_TO_AUTH_FOR_DELEGATION" -fore Yellow
Write-Host " - (Windows 2000/Windows Server 2003) The account is enabled for delegation."
Write-Host " - This is a security-sensitive setting."
Write-Host " - Accounts with this option enabled should be tightly controlled."
Write-Host " - This setting allows a service that runs under the account to assume a client’s"
Write-Host " identity and authenticate as that user to other remote servers on the network."
}
Write-Host
}
if(!$uac -or $help){HelpMe;Return}
$flags = @()
switch ($uac)
{
{($uac -bor 0×0002) -eq $uac} {$flags += "ACCOUNTDISABLE"}
{($uac -bor 0×0008) -eq $uac} {$flags += "HOMEDIR_REQUIRED"}
{($uac -bor 0×0010) -eq $uac} {$flags += "LOCKOUT"}
{($uac -bor 0×0020) -eq $uac} {$flags += "PASSWD_NOTREQD"}
{($uac -bor 0×0040) -eq $uac} {$flags += "PASSWD_CANT_CHANGE"}
{($uac -bor 0×0080) -eq $uac} {$flags += "ENCRYPTED_TEXT_PWD_ALLOWED"}
{($uac -bor 0×0100) -eq $uac} {$flags += "TEMP_DUPLICATE_ACCOUNT"}
{($uac -bor 0×0200) -eq $uac} {$flags += "NORMAL_ACCOUNT"}
{($uac -bor 0×0800) -eq $uac} {$flags += "INTERDOMAIN_TRUST_ACCOUNT"}
{($uac -bor 0×1000) -eq $uac} {$flags += "WORKSTATION_TRUST_ACCOUNT"}
{($uac -bor 0×2000) -eq $uac} {$flags += "SERVER_TRUST_ACCOUNT"}
{($uac -bor 0×10000) -eq $uac} {$flags += "DONT_EXPIRE_PASSWORD"}
{($uac -bor 0×20000) -eq $uac} {$flags += "MNS_LOGON_ACCOUNT"}
{($uac -bor 0×40000) -eq $uac} {$flags += "SMARTCARD_REQUIRED"}
{($uac -bor 0×80000) -eq $uac} {$flags += "TRUSTED_FOR_DELEGATION"}
{($uac -bor 0×100000) -eq $uac} {$flags += "NOT_DELEGATED"}
{($uac -bor 0×200000) -eq $uac} {$flags += "USE_DES_KEY_ONLY"}
{($uac -bor 0×400000) -eq $uac} {$flags += "DONT_REQ_PREAUTH"}
{($uac -bor 0×800000) -eq $uac} {$flags += "PASSWORD_EXPIRED"}
{($uac -bor 0×1000000) -eq $uac} {$flags += "TRUSTED_TO_AUTH_FOR_DELEGATION"}
}
if($toString){$flags | %{if($mystring){$mystring += ",$_"}else{$mystring = $_}};$mystring}else{$flags}
Oisin the “obsessive programmer” sent me this as another option
([int]$value)
$flags = @("","ACCOUNTDISABLE","", "HOMEDIR_REQUIRED",
"LOCKOUT", "PASSWD_NOTREQD","PASSWD_CANT_CHANGE", "ENCRYPTED_TEXT_PWD_ALLOWED",
"TEMP_DUPLICATE_ACCOUNT", "NORMAL_ACCOUNT", "","INTERDOMAIN_TRUST_ACCOUNT", "WORKSTATION_TRUST_ACCOUNT",
"SERVER_TRUST_ACCOUNT", "", "", "DONT_EXPIRE_PASSWORD", "MNS_LOGON_ACCOUNT", "SMARTCARD_REQUIRED",
"TRUSTED_FOR_DELEGATION", "NOT_DELEGATED","USE_DES_KEY_ONLY", "DONT_REQ_PREAUTH",
"PASSWORD_EXPIRED", "TRUSTED_TO_AUTH_FOR_DELEGATION")
1..($flags.length) | ? {$value -band [math]::Pow(2,$_)} | % { $flags[$_] }
tshell :: Mar.28.2008 :: Active Directory, HowTo, Powershell, Scripting :: No Comments »
