Active Directory PowerShell Get-ADUser -LDAPFILTER userAccountControl

It is very easy to query with ldapfilter  with the AD powershell command Get-ADuser.

 

For example:

(get-aduser -ldapfilter “(&(&(objectCategory=user)(userAccountControl=512)))”).samaccountname

 

Active Directory userAccountControl Values:

Normal Day to Day Values:
===========================
512 – Enable Account
514 – Disable account
544 – Account Enabled – Require user to change password at first logon
4096 – Workstation/server
66048 – Enabled, password never expires
66050 – Disabled, password never expires
262656 – Smart Card Logon Required
532480 – Domain controller

All Other Values:
===========================
1 – script
2 – accountdisable
8 – homedir_required
16 – lockout
32 – passwd_notreqd
64 – passwd_cant_change
128 – encrypted_text_pwd_allowed
256 – temp_duplicate_account
512 – normal_account
2048 – interdomain_trust_account
4096 – workstation_trust_account
8192 – server_trust_account
65536 – dont_expire_password
131072 – mns_logon_account
262144 – smartcard_required
524288 – trusted_for_delegation
1048576 – not_delegated
2097152 – use_des_key_only
4194304 – dont_req_preauth
8388608 – password_expired
16777216 – trusted_to_auth_for_delegation

 

List is from here

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s