Tuesday, August 9, 2011

Active Directory and userAccountControl Attribute

As you know, searching Active Directory attributes using DSQUERY commands or scripts is not difficult.  You can get the values directly from the attribute.  However, searching the enabled, disabled status,PasswordExpired  etc can be challenging because these properties/values are not stored in its own attribute.  These account properties are controlled by an attribute called userAccountControl. 

what is userAccountControl ?

It is a 4 bytes (32-bit) integer that represents a bitwise enumeration of various flags that controls the behavior of an object. The attributeID (ruleOD) of this object is 1.2.840.113556.1.4.8.  The attributeID is a unique X.500 Object Identifier(OID) for identifying an attribute. 


How do I search userAccountControl values in Active Directory?

It is like searching any other attribute in Active Directory. However, you need to represent the userAccountControl values in numeric.  The syntax of the LDAP matching rule is


where attributename is the LDAP DisplayName -in this case it is userAccountControl, ruleOID is the attributeID for the matching rule control - in this case it is 1.2.840.113556.1.4.80X, and value is the decimal value you want to use for search.  I will explain the details using a couple of examples. 

The following DSQUERY command returns all disabled user accounts in Active Directory.  

dsquery * -limit 0 –filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" –attr name

userAccountControl = 2 means the user account is disabled (ADS_UF_ACCOUNTDISABLE)

and the following DSQUERY command returns all users with the 'Password Never Expires' settings enabled.

dsquery * -limit 0 –filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" –attr name

userAccountControl = 65536 means the user account has 'Password Never Expires' flag enabled (ADS_UF_DONT_EXPIRE_PASSWD)

So where did the attributeID (ruleOID) 1.2.840.113556.1.4.803 come from?

The value of attributeID (ruleOID) can be either bitwise AND (1.2.840.113556.1.4.803) or bitwise OR  (1.2.840.113556.1.4.804)

  • 1.2.840.113556.1.4.803 – This is the bitwise AND operator (LDAP_MATCHING_RULE_BIT_AND).  The rule is true only if all bits from the property match the value. 
  • 1.2.840.113556.1.4.804 – This is the bitwise OR operator (LDAP_MATCHING_RULE_BIT_OR).  The rule is true if any bits from the property match the value.

Here is the complete structure:



How do I get the userAccountControl values? 

These userAccountControl flag values are available in following MSDN articles. Make sure to use Decimal values not HEX. 

  1. http://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx
  2. http://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx


Regardless of what method you use (commands or scripts) you can search Active Directory using userAccountControl flags using the above mentioned syntax. 

Looking for more DSQUERY examples?

Visit my TechNet Wiki article - http://social.technet.microsoft.com/wiki/contents/articles/3537.aspx



Great entry Santhosh!!

Mark Empson wrote a UserAccountControl entry that compliments this entry http://blogs.technet.com/b/mempson/archive/2011/08/24/useraccountcontrol-flags.aspx

I now have both in my favorites :)

1.2.840.113556.1.4.803 and 1.2.840.113556.1.4.804 are not related to 1.2.840.113556.1.4.8 whatsoever. They are both OIDs for the bitwise OR and AND operators against any attribute that supports it, and not extensions that would apply to the userAccountControl attribute, as your article sounds...

hi, I'm new to poweshell commands. I try to update my employee numbers for more than 1000 employees. I created file as below :-
Import-module ActiveDirectory
Import-CSV "c:\temp\users.csv" | % {
$User = $_.UserName
$ID = $_.empNumber
Set-ADUser $User -employeeID
Saved this file as .ps1, when I tried to run it I will get below error :-
Set-ADUser : Cannot validate argument on parameter 'Identity'. The argument is
null. Supply a non-null argument and try the command again.
At C:\TEMP\UpdateEmployeeID.ps1:5 char:11
+ Set-ADUser <<<< $User -employeeID
+ CategoryInfo : InvalidData: (:) [Set-ADUser], ParameterBindingV
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.Activ

how can I rectify this error. if we want to follow other steps then please update me on patilshirishr@gmail.com

Make sure you'll read this article too, guys. It is really important!

The attribute controls the behavior of user and computer objects buckshot roulette in Active Directory. It manages settings related to account status, password policies, and other security features.

Post a Comment

Popular Posts


Twitter Delicious Facebook Digg Stumbleupon Favorites More