Converting AD UserAccountControl to its properties with Powershell

By YellowOnline on Wednesday 25 November 2015 12:03 - Comments (0)
Category: Powershell, Views: 4.063

The human way to translate these is usually to look at the largest decimal value the given value fits in and repeat that process for the remainder (say, 11 would be 8 HOMEDIR_REQUIRED + 2 ACCOUNTDISABLE + 1 SCRIPT). After trying for one hour to put that into code, and miserably failing, I went for another approach that no human would use but is actually very easy for a computer.





PowerShell:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Function Translate-UAC ([int]$UAC)
    {   
    $PropertyFlags = @(
        "SCRIPT",
        "ACCOUNTDISABLE",
        "RESERVED",
        "HOMEDIR_REQUIRED",
        "LOCKOUT",
        "PASSWD_NOTREQD",
        "PASSWD_CANT_CHANGE",
        "ENCRYPTED_TEXT_PWD_ALLOWED",
        "TEMP_DUPLICATE_ACCOUNT",
        "NORMAL_ACCOUNT", 
        "RESERVED",
        "INTERDOMAIN_TRUST_ACCOUNT", 
        "WORKSTATION_TRUST_ACCOUNT",
        "SERVER_TRUST_ACCOUNT", 
        "RESERVED", 
        "RESERVED", 
        "DONT_EXPIRE_PASSWORD", 
        "MNS_LOGON_ACCOUNT", 
        "SMARTCARD_REQUIRED",
        "TRUSTED_FOR_DELEGATION", 
        "NOT_DELEGATED",
        "USE_DES_KEY_ONLY", 
        "DONT_REQ_PREAUTH",
        "PASSWORD_EXPIRED", 
        "TRUSTED_TO_AUTH_FOR_DELEGATION",
        "RESERVED",
        "PARTIAL_SECRETS_ACCOUNT"
        "RESERVED"
        "RESERVED"
        "RESERVED"
        "RESERVED"
        "RESERVED"
        )
    #Possibility 1: One property per line (commented because I use the second one)
    #1..($PropertyFlags.Length) | Where-Object {$UAC -bAnd [math]::Pow(2,$_)} | ForEach-Object {$PropertyFlags[$_]} 
    
    #Possibility 2: One line for all properties (suits my script better)
    $Attributes = ""
    1..($PropertyFlags.Length) | Where-Object {$UAC -bAnd [math]::Pow(2,$_)} | ForEach-Object {If ($Attributes.Length -EQ 0) {$Attributes = $PropertyFlags[$_]} Else {$Attributes = $Attributes + " | " + $PropertyFlags[$_]}}
    Return $Attributes
    }



Output (possibility 1):

code:
1
2
3
PS H:\> Translate-UAC 514
ACCOUNTDISABLE
NORMAL_ACCOUNT



Output (possibility 2):

code:
1
2
PS H:\> Translate-UAC 514
ACCOUNTDISABLE | NORMAL_ACCOUNT



I could've included a switch to make you choose one of the both outputs, but for this snippet I'm like "just comment out the one you don't need".

Meanwhile I found out some other blogs with pretty much the same code, but heck.

PS. If, somehow, you manage to get "RESERVED" back, your UAC can't be correct. Those are reserved bits for a reason :)

Volgende: Koken! Groentensoep met pasta en balletjes 12-'15 Koken! Groentensoep met pasta en balletjes
Volgende: R.I.P. 11-'15 R.I.P.

Comments

There are no comments for this post


In order to comment on this post you need to be logged in. Use this link to log in when you are already a registered user. If you don't have an account you can create one here.