Re: UserAccountContol Question... Please Help.....

From: Richard Mueller [MVP] (rlmueller-NOSPAM_at_ameritech.NOSPAM.net)
Date: 03/12/04 

Date: Fri, 12 Mar 2004 14:53:28 -0600

Hi,

You mentioned other settings that are not controlled by userAccountControl.

Maximum password age - maxPwdAge attribute of the domain object (so it applies to everyone in the domain). Integer8
Minimum password age - minPwdAge attribute of the domain object. Integer8
Minimum password length - minPwdLength attribute of the domain object. Enumeration
Store password using reverisble encryption - userAccountControl attribute of user and ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED bit mask
Enforce password history = pwdHistoryLength attribute of the domain object. Enumeration
Password complexity - pwdProperites attribute of the domain object. Enumeration

The ones labeled Integer8 above are 64-bit numbers, so special code is required to handle them. The ones labeled Enumeration are simple integers. Most of these should be handled through Group Policy, although you can retrieve values from the attributes directly.

Also, to explain the script you posted line by line:

Set objHash = CreateObject("Scripting.Dictionary")

This creates a reference to a dictionary object. A dictionary object is a associative array of (key, item) pairs. The "key"s must be unique.

objHash.Add "ADS_UF_PASSWD_NOTREQD", &h00020
objHash.Add "ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED", &h0080
objHash.Add "ADS_UF_DONT_EXPIRE_PASSWD", &h10000

The above adds 3 pairs to the dictionary object. The key in each pair is the name of the bit mask (a string), the corresponding item is the hex value. This is just a technique to loop through the bit masks one by one.

Set objUser = GetObject _
    (LDAP://cn=testuser,OU=Accounts,dc=domain,dc=com)

The above binds to the user using the Distinguished Name and the LDAP provider.

intUAC = objUser.Get("userAccountControl")

This retrieves the current value of userAccountControl for this user.

For Each Key In objHash.Keys

The "For Each" loop allows the code in the loop to repeat for each bit mask. The variable "Key" will be the key of the pair, the bit mask name.

    If objHash(Key) And intUAC Then

If the "And" operation is non-zero, the expression will be evaluated as True. Zero would equate to False. The expression objHash(Key) will be the item value in the pair, which is the actual hex value of the bit mask. For example, objHash("ADS_UF_PASSWD_NOTREQD") = &h20.

        Wscript.Echo Key & " Value = " & intUAC & " property is enabled"
    Else
        Wscript.Echo Key & " Value = " & intUAC & " property is disabled"
    End If
Next

The use of the dictionary object makes the code a little confusing to read, but it works. It's copied from the TechNet Script Center. I prefer the code I posted before, because I can "read" it. It would be easy to switch the dictionary object pairs in the above. I also like to make it very clear that the "And" operation results in a non-zero value. If the language I'm using interprets this as "True" great, but not all languages do. But that's just style. 

-- 
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--
  "Richard Mueller [MVP]" <rlmueller-NOSPAM@ameritech.NOSPAM.net> wrote in message news:e$zqN9GCEHA.1220@TK2MSFTNGP10.phx.gbl...
  Hi,
  When you display the value assigned to userAccountControl, the number is in decimal (unless you convert). For example, 544 in your example, which is 220 hex, which is &h200 (ADS_UF_NORMAL_ACCOUNT) plus &h20 (ADS_UF_PASSWD_NOTREQD). But that math is too much. Instead, you test bits of this flag using bit masks. Things to remember:
  You test by "And"ing the value with a bit mask. Any non-zero results means the corresponding bit is set (enabled). Zero means the bit is not set.
  You set a bit by "Or"ing with the bit mask.
  You toggle a bit by "Xor"ing with the bit mask. The only way to turn a bit off is to test to make sure it is set, then toggle it.
  Example VBScript code to test if a user is required to have a password, then set this flag, then un-set it:
  ' Define bit mask.
  Const ADS_UF_PASSWD_NOTREQD = &h20
  ' Bind to user object.
  Set objUser = GetObject("LDAP://cn=TestUser,ou=Sales,dc=MyDomain,dc=com")
  ' Test flag for password not required.
  lngFlag = objUser.Get("userAccountControl")
  If (lngFlag And ADS_UF_PASSWD_NOTREQD) <> 0 Then
    Wscript.Echo "User " & objUser.sAMAccountName & " is NOT required to have a password"
  Else
    Wscript.Echo "User " & objUser.sAMAccountName & " is required to have a password"
  End If
  ' Set flag for password not required.
  lngFlag = objUser.Get("userAccountControl")
  lngFlag = lngFlag Or ADS_UF_PASSWD_NOTREQD
  objUser.Put "userAccountControl", lngFlag
  objUser.SetInfo
  ' Un-set flag for password not required.
  lngFlag = objUser.get("userAccountControl")
  If (lngFlag And ADS_UF_PASSWD_NOTREQD) <> 0 Then
    lngFlag = lngFlag Xor ADS_UF_PASSWD_NOTREQD
    objUser.Put "userAccountControl", lngFlag
    objUser.SetInfo
  End If
  The definitions of all the bits and the bit masks are in this link:
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/ads_user_flag_enum.asp
  However, not all of them work with the LDAP provider. The only ones I've seen manipulated are ADS_UF_PASSWD_CANT_CHANGE, ADS_UF_DONT_EXPIRE_PASSWD, and ADS_UF_ENCRYPTED_TEXT_PASSWD. I assume it is OK to manipulate ADS_UF_PASSWD_NOTREQD. The ADS_UF_LOCKOUT bit does not work and there are property methods or other better ways to test and manipulate the others (such as ADS_UF_ACCOUNTDISABLE).
  -- 
  Richard
  Microsoft MVP Scripting and ADSI
  HilltopLab web site - http://www.rlmueller.net
  --
    "Roger" <hainesr3@nationwide.com> wrote in message news:%23%23JDeRFCEHA.3400@tk2msftngp13.phx.gbl...
    Thanks for your quick response.  I guess I need to go back and re-educate myself on binary.  When you refer to the first bit mask and the second bit mask for your example.  Are you talking about to completely different bit masks?  1011 and 0010
    The reason I ask is when you say "The second bit may be the one of interest to you" refering to the first "bit mask".  I was thinking that
    the second bit would be ( in red below).  I'm way off base here aren't I.
    1011
    "Stivie S." <stefan.suesser@computacenter.com> wrote in message news:6A82E122-87F4-4D6F-9D00-FF9C1E2E5B89@microsoft.com...
    > Hi,
    > 
    > the "UserAccountControl" is implemented as a bit masks, like some other properties, too. Each bit in the bit masks represents a certain setting, and you set the individual bits in the bit mask to either 0 or 1 to enable or disable a setting.
    > To work with bit masks, you neet the boolean operators AND, OR or XOR. I do not know if you have every worked with boolean operators, but here is an example:
    > Let's say, you have a bit mask consisting of 4 bits. The bit mask is currently set to "1011". The second bit may be the one of interest to you - so you want to check if this second bit is set. The setting of the second bit is written as "0010" in the bit mask. You check the setting of the second bit by combining both bit masks (the actual setting and the bit of interest) with the boolean AND operator. The result will be: 1011 AND 0010 = 0010 - the result is exactly the bit mask of the setting you are interested in!!! Why that? When using the boolean AND operator, you can get the result by calculating "if the first bit of the bit mask and the first bit of the setting of interest are the same, the result is 1 (TRUE=equal), otherwise the result is 0(FALSE=not equal)", and doing this with every bit.
    > That's why the script has the code line "If objHash(Key) And intUAC Then..." - the meaning of this line is simple: when the boolean AND comparison of the UserAccountControl (intUAC) and a particular setting (objHash(key) is true, then the property is enabled - when the comparison is false, the property is disabled.
    > Sounds complicated? It is in deed simple, I think, but you should have some maths background from school about boolean operators.