Posts RSS Comments RSS 253 Posts and 411 Comments till now

More userAccountControl Flag Fun (Convert-ToUACFlag.ps1)

A question on the NG made me think about this. While I personally prefer the decimal that comes from userAccountControl, others may prefer to actually see the FLAGS that are set.

Here is the script I came up with. It will output and array by default, but -toString will output a “,” delimited string.

It has a great -help function with -verbose output that explains each UAC Flag

Convert-ToUACFlag.ps1

# Convert-ToUACFlag.ps1
Param([int]$uac,[switch]$ToString,[switch]$help,[switch]$verbose)
function HelpMe{
    Write-Host
    Write-Host " Convert-ToUACFlag.ps1:" -fore Green
    Write-Host "   Converts UAC from Decimal or Hex to User Account Control Flags (described verbose help)"
    Write-Host
    Write-Host " Parameters:" -fore Green
    Write-Host "   -UAC                   : Parameter User Account Control Value"
    Write-Host "   -toString              : [SWITCH]  Output to String instead of Array"
    Write-Host "   -Help                  : [SWITCH]  Displays This"
    Write-Host "   -Verbose               : [SWITCH]  Displays This and User Account Control Definitions"
    Write-Host
    Write-Host " Examples:" -fore Green
    Write-Host "   Convert to Flag getting back array" -fore White
    Write-Host "     .\Convert-ToUACFlag.ps1 69649" -fore Yellow
    Write-Host "   Convert to Flag getting back string" -fore White
    Write-Host "     .\Convert-ToUACFlag.ps1 69649 -toString" -fore Yellow
    Write-Host
    if($verbose)
    {
        Write-Host " User Account Control Flags and Definition" -fore Green
        Write-Host "  + SCRIPT" -fore Yellow
        Write-Host "    – The logon script will be run."
        Write-Host
        Write-Host "  + ACCOUNTDISABLE" -fore Yellow
        Write-Host "    – The user account is disabled."
        Write-Host
        Write-Host "  + HOMEDIR_REQUIRED" -fore Yellow
        Write-Host "    – The home folder is required."
        Write-Host
        Write-Host "  + PASSWD_NOTREQD" -fore Yellow
        Write-Host "    – No password is required."
        Write-Host
        Write-Host "  + PASSWD_CANT_CHANGE" -fore Yellow
        Write-Host "    – The user cannot change the password."
        Write-Host "    – This is a permission on the user’s object."
        Write-Host
        Write-Host "  + ENCRYPTED_TEXT_PASSWORD_ALLOWED" -fore Yellow
        Write-Host "    – The user can send an encrypted password."
        Write-Host
        Write-Host "  + TEMP_DUPLICATE_ACCOUNT" -fore Yellow
        Write-Host "    – This is an account for users whose primary account is in another domain."
        Write-Host "    – This account provides user access to this domain,"
        Write-Host "      but not to any domain that trusts this domain."
        Write-Host "    – This is sometimes referred to as a local user account."
        Write-Host
        Write-Host "  + NORMAL_ACCOUNT" -fore Yellow
        Write-Host "    – This is a default account type that represents a typical user."
        Write-Host
        Write-Host "  + INTERDOMAIN_TRUST_ACCOUNT" -fore Yellow
        Write-Host "    – This is a permit to trust an account for a system domain that trusts other domains."
        Write-Host
        Write-Host "  + WORKSTATION_TRUST_ACCOUNT" -fore Yellow
        Write-Host "    – This is a computer account for a computer that is running"
        Write-Host "    – Microsoft Windows NT 4.0 and above and is a member of this domain."
        Write-Host
        Write-Host "  + SERVER_TRUST_ACCOUNT" -fore Yellow
        Write-Host "    – This is a computer account for a domain controller that is a member of this domain."
        Write-Host
        Write-Host "  + DONT_EXPIRE_PASSWD" -fore Yellow
        Write-Host "    – Represents the password, which should never expire on the account."
        Write-Host
        Write-Host "  + MNS_LOGON_ACCOUNT" -fore Yellow
        Write-Host "    – This is an MNS logon account."
        Write-Host
        Write-Host "  + SMARTCARD_REQUIRED" -fore Yellow
        Write-Host "    – When this flag is set, it forces the user to log on by using a smart card."
        Write-Host
        Write-Host "  + TRUSTED_FOR_DELEGATION" -fore Yellow
        Write-Host "    – When this flag is set, the service account (the user or computer account)"
        Write-Host "      under which a service runs is trusted for Kerberos delegation."
        Write-Host "    – Any such service can impersonate a client requesting the service."
        Write-Host "    – To enable a service for Kerberos delegation, you must set this flag on the"
        Write-Host "      userAccountControl property of the service account."
        Write-Host
        Write-Host "  + NOT_DELEGATED" -fore Yellow
        Write-Host "    – When this flag is set, the security context of the user is not delegated to"
        Write-Host "      a service even if the service account is set as trusted for Kerberos delegation."
        Write-Host
        Write-Host "  + USE_DES_KEY_ONLY" -fore Yellow
        Write-Host "    – (Windows 2000/Windows Server 2003) Restrict this principal to use only"
        Write-Host "      Data Encryption Standard (DES) encryption types for keys."
        Write-Host
        Write-Host "  + DONT_REQUIRE_PREAUTH" -fore Yellow
        Write-Host "    – (Windows 2000/Windows Server 2003) This account does not require"
        Write-Host "      Kerberos pre+authentication for logging on."
        Write-Host
        Write-Host "  + PASSWORD_EXPIRED" -fore Yellow
        Write-Host "    – (Windows 2000/Windows Server 2003) The user’s password has expired."
        Write-Host
        Write-Host "  + TRUSTED_TO_AUTH_FOR_DELEGATION" -fore Yellow
        Write-Host "    – (Windows 2000/Windows Server 2003) The account is enabled for delegation."
        Write-Host "    – This is a security-sensitive setting."
        Write-Host "    – Accounts with this option enabled should be tightly controlled."
        Write-Host "    – This setting allows a service that runs under the account to assume a client’s"
        Write-Host "      identity and authenticate as that user to other remote servers on the network."
    }
    Write-Host
}

if(!$uac -or $help){HelpMe;Return}
$flags = @()
switch ($uac)
{
    {($uac -bor 0x0002) -eq $uac}    {$flags += "ACCOUNTDISABLE"}
    {($uac -bor 0x0008) -eq $uac}    {$flags += "HOMEDIR_REQUIRED"}
    {($uac -bor 0x0010) -eq $uac}    {$flags += "LOCKOUT"}
    {($uac -bor 0x0020) -eq $uac}    {$flags += "PASSWD_NOTREQD"}
    {($uac -bor 0x0040) -eq $uac}    {$flags += "PASSWD_CANT_CHANGE"}
    {($uac -bor 0x0080) -eq $uac}    {$flags += "ENCRYPTED_TEXT_PWD_ALLOWED"}
    {($uac -bor 0x0100) -eq $uac}    {$flags += "TEMP_DUPLICATE_ACCOUNT"}
    {($uac -bor 0x0200) -eq $uac}    {$flags += "NORMAL_ACCOUNT"}
    {($uac -bor 0x0800) -eq $uac}    {$flags += "INTERDOMAIN_TRUST_ACCOUNT"}
    {($uac -bor 0x1000) -eq $uac}    {$flags += "WORKSTATION_TRUST_ACCOUNT"}
    {($uac -bor 0x2000) -eq $uac}    {$flags += "SERVER_TRUST_ACCOUNT"}
    {($uac -bor 0x10000) -eq $uac}   {$flags += "DONT_EXPIRE_PASSWORD"}
    {($uac -bor 0x20000) -eq $uac}   {$flags += "MNS_LOGON_ACCOUNT"}
    {($uac -bor 0x40000) -eq $uac}   {$flags += "SMARTCARD_REQUIRED"}
    {($uac -bor 0x80000) -eq $uac}   {$flags += "TRUSTED_FOR_DELEGATION"}
    {($uac -bor 0x100000) -eq $uac}  {$flags += "NOT_DELEGATED"}
    {($uac -bor 0x200000) -eq $uac}  {$flags += "USE_DES_KEY_ONLY"}
    {($uac -bor 0x400000) -eq $uac}  {$flags += "DONT_REQ_PREAUTH"}
    {($uac -bor 0x800000) -eq $uac}  {$flags += "PASSWORD_EXPIRED"}
    {($uac -bor 0x1000000) -eq $uac} {$flags += "TRUSTED_TO_AUTH_FOR_DELEGATION"}
}
if($toString){$flags | %{if($mystring){$mystring += ",$_"}else{$mystring = $_}};$mystring}else{$flags}

Oisin the “obsessive programmer” sent me this as another option

param
([int]$value)
$flags = @("","ACCOUNTDISABLE","", "HOMEDIR_REQUIRED",
"LOCKOUT", "PASSWD_NOTREQD","PASSWD_CANT_CHANGE", "ENCRYPTED_TEXT_PWD_ALLOWED",
"TEMP_DUPLICATE_ACCOUNT", "NORMAL_ACCOUNT", "","INTERDOMAIN_TRUST_ACCOUNT", "WORKSTATION_TRUST_ACCOUNT",
"SERVER_TRUST_ACCOUNT", "", "", "DONT_EXPIRE_PASSWORD", "MNS_LOGON_ACCOUNT", "SMARTCARD_REQUIRED",
"TRUSTED_FOR_DELEGATION", "NOT_DELEGATED","USE_DES_KEY_ONLY", "DONT_REQ_PREAUTH",
"PASSWORD_EXPIRED", "TRUSTED_TO_AUTH_FOR_DELEGATION")
1..($flags.length) | ? {$value -band [math]::Pow(2,$_)} | % { $flags[$_] }

One Response to “More userAccountControl Flag Fun (Convert-ToUACFlag.ps1)”

  1. on 01 Nov 2008 at 12:30 amajay

    Hi,

    Is there any way to set settings for “user has to change the password on next logon”
    when creating the active directory user using .net or this is the default option

    if this is the default option when the account is created the check box for “user has to change the password on next logon” not checked when creating the user through API.

    Please suggest me for how to set these settings.

    Regards,
    Ajay.K

Trackback this post | Feed on Comments to this post

Leave a Reply

You must be logged in to post a comment.