BSonPoSH

# Convert-ToUACFlag.ps1
Param([int]$uac,[switch]$ToString,[switch]$help,[switch]$verbose)
function HelpMe{
    Write-Host
    Write-Host " Convert-ToUACFlag.ps1:" -fore Green
    Write-Host "   Converts UAC from Decimal or Hex to User Account Control Flags (described verbose help)"
    Write-Host
    Write-Host " Parameters:" -fore Green
    Write-Host "   -UAC                   : Parameter User Account Control Value"
    Write-Host "   -toString              : [SWITCH]  Output to String instead of Array"
    Write-Host "   -Help                  : [SWITCH]  Displays This"
    Write-Host "   -Verbose               : [SWITCH]  Displays This and User Account Control Definitions"
    Write-Host
    Write-Host " Examples:" -fore Green
    Write-Host "   Convert to Flag getting back array" -fore White
    Write-Host "     .\Convert-ToUACFlag.ps1 69649" -fore Yellow
    Write-Host "   Convert to Flag getting back string" -fore White
    Write-Host "     .\Convert-ToUACFlag.ps1 69649 -toString" -fore Yellow
    Write-Host
    if($verbose)
    {
        Write-Host " User Account Control Flags and Definition" -fore Green
        Write-Host "  + SCRIPT" -fore Yellow
        Write-Host "    - The logon script will be run."
        Write-Host
        Write-Host "  + ACCOUNTDISABLE" -fore Yellow
        Write-Host "    - The user account is disabled."
        Write-Host
        Write-Host "  + HOMEDIR_REQUIRED" -fore Yellow
        Write-Host "    - The home folder is required."
        Write-Host
        Write-Host "  + PASSWD_NOTREQD" -fore Yellow
        Write-Host "    - No password is required."
        Write-Host
        Write-Host "  + PASSWD_CANT_CHANGE" -fore Yellow
        Write-Host "    - The user cannot change the password."
        Write-Host "    - This is a permission on the user’s object."
        Write-Host
        Write-Host "  + ENCRYPTED_TEXT_PASSWORD_ALLOWED" -fore Yellow
        Write-Host "    - The user can send an encrypted password."
        Write-Host
        Write-Host "  + TEMP_DUPLICATE_ACCOUNT" -fore Yellow
        Write-Host "    - This is an account for users whose primary account is in another domain."
        Write-Host "    - This account provides user access to this domain,"
        Write-Host "      but not to any domain that trusts this domain."
        Write-Host "    - This is sometimes referred to as a local user account."
        Write-Host
        Write-Host "  + NORMAL_ACCOUNT" -fore Yellow
        Write-Host "    - This is a default account type that represents a typical user."
        Write-Host
        Write-Host "  + INTERDOMAIN_TRUST_ACCOUNT" -fore Yellow
        Write-Host "    - This is a permit to trust an account for a system domain that trusts other domains."
        Write-Host
        Write-Host "  + WORKSTATION_TRUST_ACCOUNT" -fore Yellow
        Write-Host "    - This is a computer account for a computer that is running"
        Write-Host "    - Microsoft Windows NT 4.0 and above and is a member of this domain."
        Write-Host
        Write-Host "  + SERVER_TRUST_ACCOUNT" -fore Yellow
        Write-Host "    - This is a computer account for a domain controller that is a member of this domain."
        Write-Host
        Write-Host "  + DONT_EXPIRE_PASSWD" -fore Yellow
        Write-Host "    - Represents the password, which should never expire on the account."
        Write-Host
        Write-Host "  + MNS_LOGON_ACCOUNT" -fore Yellow
        Write-Host "    - This is an MNS logon account."
        Write-Host
        Write-Host "  + SMARTCARD_REQUIRED" -fore Yellow
        Write-Host "    - When this flag is set, it forces the user to log on by using a smart card."
        Write-Host
        Write-Host "  + TRUSTED_FOR_DELEGATION" -fore Yellow
        Write-Host "    - When this flag is set, the service account (the user or computer account)"
        Write-Host "      under which a service runs is trusted for Kerberos delegation."
        Write-Host "    - Any such service can impersonate a client requesting the service."
        Write-Host "    - To enable a service for Kerberos delegation, you must set this flag on the"
        Write-Host "      userAccountControl property of the service account."
        Write-Host
        Write-Host "  + NOT_DELEGATED" -fore Yellow
        Write-Host "    - When this flag is set, the security context of the user is not delegated to"
        Write-Host "      a service even if the service account is set as trusted for Kerberos delegation."
        Write-Host
        Write-Host "  + USE_DES_KEY_ONLY" -fore Yellow
        Write-Host "    - (Windows 2000/Windows Server 2003) Restrict this principal to use only"
        Write-Host "      Data Encryption Standard (DES) encryption types for keys."
        Write-Host
        Write-Host "  + DONT_REQUIRE_PREAUTH" -fore Yellow
        Write-Host "    - (Windows 2000/Windows Server 2003) This account does not require"
        Write-Host "      Kerberos pre+authentication for logging on."
        Write-Host
        Write-Host "  + PASSWORD_EXPIRED" -fore Yellow
        Write-Host "    - (Windows 2000/Windows Server 2003) The user’s password has expired."
        Write-Host
        Write-Host "  + TRUSTED_TO_AUTH_FOR_DELEGATION" -fore Yellow
        Write-Host "    - (Windows 2000/Windows Server 2003) The account is enabled for delegation."
        Write-Host "    - This is a security-sensitive setting."
        Write-Host "    - Accounts with this option enabled should be tightly controlled."
        Write-Host "    - This setting allows a service that runs under the account to assume a client’s"
        Write-Host "      identity and authenticate as that user to other remote servers on the network."
    }
    Write-Host
}

if(!$uac -or $help){HelpMe;Return}
$flags = @()
switch ($uac)
{
    {($uac -bor 0×0002) -eq $uac}    {$flags += "ACCOUNTDISABLE"}
    {($uac -bor 0×0008) -eq $uac}    {$flags += "HOMEDIR_REQUIRED"}
    {($uac -bor 0×0010) -eq $uac}    {$flags += "LOCKOUT"}
    {($uac -bor 0×0020) -eq $uac}    {$flags += "PASSWD_NOTREQD"}
    {($uac -bor 0×0040) -eq $uac}    {$flags += "PASSWD_CANT_CHANGE"}
    {($uac -bor 0×0080) -eq $uac}    {$flags += "ENCRYPTED_TEXT_PWD_ALLOWED"}
    {($uac -bor 0×0100) -eq $uac}    {$flags += "TEMP_DUPLICATE_ACCOUNT"}
    {($uac -bor 0×0200) -eq $uac}    {$flags += "NORMAL_ACCOUNT"}
    {($uac -bor 0×0800) -eq $uac}    {$flags += "INTERDOMAIN_TRUST_ACCOUNT"}
    {($uac -bor 0×1000) -eq $uac}    {$flags += "WORKSTATION_TRUST_ACCOUNT"}
    {($uac -bor 0×2000) -eq $uac}    {$flags += "SERVER_TRUST_ACCOUNT"}
    {($uac -bor 0×10000) -eq $uac}   {$flags += "DONT_EXPIRE_PASSWORD"}
    {($uac -bor 0×20000) -eq $uac}   {$flags += "MNS_LOGON_ACCOUNT"}
    {($uac -bor 0×40000) -eq $uac}   {$flags += "SMARTCARD_REQUIRED"}
    {($uac -bor 0×80000) -eq $uac}   {$flags += "TRUSTED_FOR_DELEGATION"}
    {($uac -bor 0×100000) -eq $uac}  {$flags += "NOT_DELEGATED"}
    {($uac -bor 0×200000) -eq $uac}  {$flags += "USE_DES_KEY_ONLY"}
    {($uac -bor 0×400000) -eq $uac}  {$flags += "DONT_REQ_PREAUTH"}
    {($uac -bor 0×800000) -eq $uac}  {$flags += "PASSWORD_EXPIRED"}
    {($uac -bor 0×1000000) -eq $uac} {$flags += "TRUSTED_TO_AUTH_FOR_DELEGATION"}
}
if($toString){$flags | %{if($mystring){$mystring += ",$_"}else{$mystring = $_}};$mystring}else{$flags}

param
([int]$value)
$flags = @("","ACCOUNTDISABLE","", "HOMEDIR_REQUIRED",
"LOCKOUT", "PASSWD_NOTREQD","PASSWD_CANT_CHANGE", "ENCRYPTED_TEXT_PWD_ALLOWED",
"TEMP_DUPLICATE_ACCOUNT", "NORMAL_ACCOUNT", "","INTERDOMAIN_TRUST_ACCOUNT", "WORKSTATION_TRUST_ACCOUNT",
"SERVER_TRUST_ACCOUNT", "", "", "DONT_EXPIRE_PASSWORD", "MNS_LOGON_ACCOUNT", "SMARTCARD_REQUIRED",
"TRUSTED_FOR_DELEGATION", "NOT_DELEGATED","USE_DES_KEY_ONLY", "DONT_REQ_PREAUTH",
"PASSWORD_EXPIRED", "TRUSTED_TO_AUTH_FOR_DELEGATION")
1..($flags.length) | ? {$value -band [math]::Pow(2,$_)} | % { $flags[$_] }