Changing Flags in the userAccountControl Attribute

Microsoft® Windows® 2000 Scripting Guide

To enable any of the flags directly available from the userAccountControl attribute (see Table 7.6), use the XOR bitwise operator. Listing 7.6 contains a script that demonstrates how to evaluate and set a password flag in the userAccountControl attribute.

Scripting Steps

Listing 7.6 contains a script that disables the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag using the XOR operator. To carry out this task, the script performs the following steps:

  1. Set a constant to the value of the ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag in the userAccountControl attribute.

  2. Bind to the user account object by using the GetObject function and the LDAP provider.

  3. Create a variable, and initialize it to the integer value of the userAccountControl attribute.

  4. Use the bitwise AND operator to determine whether the flag is enabled.

  5. If the flag is enabled, use the XOR bitwise operator to disable it in the userAccountControl attribute of the user account object.

  6. Commit the change to the user account object in the local property cache to Active Directory.

Listing 7.6 Disabling a Password-Related Flag in userAccountControl

  
1
2
3
4
5
6
7
8
9
10
11
12
Const ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = &H80
Set objUser = GetObject _
 ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
intUAC = objUser.Get("userAccountControl")
If intUAC AND _
 ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED Then
 objUser.Put "userAccountControl", intUAC XOR _
 ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
 objUser.SetInfo
End If