Displaying Password Attributes Accessible from userAccountControl

  • Article

Microsoft® Windows® 2000 Scripting Guide

The LDAP provider can read the value of the userAccountControl attribute to determine:

  • Whether a password is required.

  • Whether the Password never expires option is enabled or disabled.

  • Whether the Store password using reversible encryption option is enabled or disabled.

Scripting Steps

Listing 7.4 contains a script that displays the state of password flags in the userAccountControl attribute and the pwdLastSet attribute of a user account. To carry out this task, the script performs the following steps:

  1. Create a Dictionary object to hold the value of the flags directly available from the userAccountControl attribute.

  2. Define the name and the value of each flag in the Dictionary object.

  3. Bind to the user account object by using the GetObject function and the LDAP provider.

  4. Create the intUAC variable, and initialize it to the integer value of the userAccountControl attribute.

  5. Create a loop, and use the bitwise AND operator to evaluate each flag value against the value of the userAccountControl attribute.

  6. Display each flag name and whether it is enabled or disabled.

Listing 7.4 Displaying Password Attributes Available from the LDAP Provider and the userAccountControl Attribute

   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

Set objHash = CreateObject("Scripting.Dictionary")
objHash.Add "ADS_UF_PASSWD_NOTREQD", &h00020
objHash.Add "ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED", &h0080
objHash.Add "ADS_UF_DONT_EXPIRE_PASSWD", &h10000
Set objUser = GetObject _
 ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
intUAC = objUser.Get("userAccountControl")
For Each Key In objHash.Keys
 If objHash(Key) And intUAC Then
 Wscript.Echo Key & " is enabled"
 Else
 Wscript.Echo Key & " is disabled"
 End If
Next