Re: UserAccountContol Question... Please Help.....

From: Richard Mueller [MVP] (rlmueller-NOSPAM_at_ameritech.NOSPAM.net)
Date: 03/12/04 

Date: Fri, 12 Mar 2004 14:12:11 -0600

Hi,

When you display the value assigned to userAccountControl, the number is in decimal (unless you convert). For example, 544 in your example, which is 220 hex, which is &h200 (ADS_UF_NORMAL_ACCOUNT) plus &h20 (ADS_UF_PASSWD_NOTREQD). But that math is too much. Instead, you test bits of this flag using bit masks. Things to remember:

You test by "And"ing the value with a bit mask. Any non-zero results means the corresponding bit is set (enabled). Zero means the bit is not set.
You set a bit by "Or"ing with the bit mask.
You toggle a bit by "Xor"ing with the bit mask. The only way to turn a bit off is to test to make sure it is set, then toggle it.

Example VBScript code to test if a user is required to have a password, then set this flag, then un-set it:

' Define bit mask.
Const ADS_UF_PASSWD_NOTREQD = &h20

' Bind to user object.
Set objUser = GetObject("LDAP://cn=TestUser,ou=Sales,dc=MyDomain,dc=com")

' Test flag for password not required.
lngFlag = objUser.Get("userAccountControl")
If (lngFlag And ADS_UF_PASSWD_NOTREQD) <> 0 Then
  Wscript.Echo "User " & objUser.sAMAccountName & " is NOT required to have a password"
Else
  Wscript.Echo "User " & objUser.sAMAccountName & " is required to have a password"
End If

' Set flag for password not required.
lngFlag = objUser.Get("userAccountControl")
lngFlag = lngFlag Or ADS_UF_PASSWD_NOTREQD
objUser.Put "userAccountControl", lngFlag
objUser.SetInfo

' Un-set flag for password not required.
lngFlag = objUser.get("userAccountControl")
If (lngFlag And ADS_UF_PASSWD_NOTREQD) <> 0 Then
  lngFlag = lngFlag Xor ADS_UF_PASSWD_NOTREQD
  objUser.Put "userAccountControl", lngFlag
  objUser.SetInfo
End If

The definitions of all the bits and the bit masks are in this link:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/ads_user_flag_enum.asp

However, not all of them work with the LDAP provider. The only ones I've seen manipulated are ADS_UF_PASSWD_CANT_CHANGE, ADS_UF_DONT_EXPIRE_PASSWD, and ADS_UF_ENCRYPTED_TEXT_PASSWD. I assume it is OK to manipulate ADS_UF_PASSWD_NOTREQD. The ADS_UF_LOCKOUT bit does not work and there are property methods or other better ways to test and manipulate the others (such as ADS_UF_ACCOUNTDISABLE). 

-- 
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--
  "Roger" <hainesr3@nationwide.com> wrote in message news:%23%23JDeRFCEHA.3400@tk2msftngp13.phx.gbl...
  Thanks for your quick response.  I guess I need to go back and re-educate myself on binary.  When you refer to the first bit mask and the second bit mask for your example.  Are you talking about to completely different bit masks?  1011 and 0010
  The reason I ask is when you say "The second bit may be the one of interest to you" refering to the first "bit mask".  I was thinking that
  the second bit would be ( in red below).  I'm way off base here aren't I.
  1011
  "Stivie S." <stefan.suesser@computacenter.com> wrote in message news:6A82E122-87F4-4D6F-9D00-FF9C1E2E5B89@microsoft.com...
  > Hi,
  > 
  > the "UserAccountControl" is implemented as a bit masks, like some other properties, too. Each bit in the bit masks represents a certain setting, and you set the individual bits in the bit mask to either 0 or 1 to enable or disable a setting.
  > To work with bit masks, you neet the boolean operators AND, OR or XOR. I do not know if you have every worked with boolean operators, but here is an example:
  > Let's say, you have a bit mask consisting of 4 bits. The bit mask is currently set to "1011". The second bit may be the one of interest to you - so you want to check if this second bit is set. The setting of the second bit is written as "0010" in the bit mask. You check the setting of the second bit by combining both bit masks (the actual setting and the bit of interest) with the boolean AND operator. The result will be: 1011 AND 0010 = 0010 - the result is exactly the bit mask of the setting you are interested in!!! Why that? When using the boolean AND operator, you can get the result by calculating "if the first bit of the bit mask and the first bit of the setting of interest are the same, the result is 1 (TRUE=equal), otherwise the result is 0(FALSE=not equal)", and doing this with every bit.
  > That's why the script has the code line "If objHash(Key) And intUAC Then..." - the meaning of this line is simple: when the boolean AND comparison of the UserAccountControl (intUAC) and a particular setting (objHash(key) is true, then the property is enabled - when the comparison is false, the property is disabled.
  > Sounds complicated? It is in deed simple, I think, but you should have some maths background from school about boolean operators.

Relevant Pages