0

我在一个站点上找到了此代码:更多 userAccountControl Flag Fun (Convert-ToUACFlag.ps1) - http://bsonposh.com/archives/288,适用于活动目录中的用户。我以为我理解了一点,所以我根据这篇文章创建了一个相反的函数,但它似乎可以用作计数器 | (管道)->?(如果) % 不是(非常)清楚,它做了什么(我不认为它是模运算符,否则我误解了管道)

%= 取模运算符赋值

echo( 1..($flags.length) | ? {$value -band [math]::Pow(2,$_)} |  %{ $flags[$_] });

这是原始功能,效果很好

function checkUserControl
{
    param
    ([int]$value)
    $flags = @("","ACCOUNTDISABLE","", "HOMEDIR_REQUIRED",
    "LOCKOUT", "PASSWD_NOTREQD","PASSWD_CANT_CHANGE", "ENCRYPTED_TEXT_PWD_ALLOWED",
    "TEMP_DUPLICATE_ACCOUNT", "NORMAL_ACCOUNT", "","INTERDOMAIN_TRUST_ACCOUNT", "WORKSTATION_TRUST_ACCOUNT",
    "SERVER_TRUST_ACCOUNT", "", "", "DONT_EXPIRE_PASSWORD", "MNS_LOGON_ACCOUNT", "SMARTCARD_REQUIRED",
    "TRUSTED_FOR_DELEGATION", "NOT_DELEGATED","USE_DES_KEY_ONLY", "DONT_REQ_PREAUTH",
    "PASSWORD_EXPIRED", "TRUSTED_TO_AUTH_FOR_DELEGATION")

    echo( 1..($flags.length) | ? {$value -band [math]::Pow(2,$_)} |  %{ $flags[$_] });
}

所以我自己尝试(几次尝试)

function checkUserControl2
    {
        param
        ([string]$value)
        $flags = @("","ACCOUNTDISABLE","", "HOMEDIR_REQUIRED",
        "LOCKOUT", "PASSWD_NOTREQD","PASSWD_CANT_CHANGE", "ENCRYPTED_TEXT_PWD_ALLOWED",
        "TEMP_DUPLICATE_ACCOUNT", "NORMAL_ACCOUNT", "","INTERDOMAIN_TRUST_ACCOUNT", "WORKSTATION_TRUST_ACCOUNT",
        "SERVER_TRUST_ACCOUNT", "", "", "DONT_EXPIRE_PASSWORD", "MNS_LOGON_ACCOUNT", "SMARTCARD_REQUIRED",
        "TRUSTED_FOR_DELEGATION", "NOT_DELEGATED","USE_DES_KEY_ONLY", "DONT_REQ_PREAUTH",
        "PASSWORD_EXPIRED", "TRUSTED_TO_AUTH_FOR_DELEGATION")

        #echo( 1..($flags.length) | ? {$value -eq $flags[$_] } )} |  %{$_});
        #echo( 1..($flags.length) | ? {$value -match $flags[$_] } )} |  %{$_});
        #echo( 1..($flags.length) | ? {$value -ieq $flags[$_] } )} |  %{$_});
        #echo( 1..($flags.length) | ? {$value -imatch $flags[$_] } )} |  %{ $_ });
        #echo( 1..($flags.length) | ? {$value -ieq $flags[$_] } )} |  {$_});
        echo( 1..($flags.length) | ? {$value -imatch $flags[$_] } )} |  { $_ });
    }

 echo "DONT_EXPIRE_PASSWORD";
 checkUserControl2("DONT_EXPIRE_PASSWORD");

我得到的错误an empty pipe is not allowed

4

2 回答 2

1

这是执行用户帐户控制操作的另一种方法,我觉得它最终比其他建议的方法更清洁、更通用。这是我在回答Active Directory中的userAccountControl 时提供的相同方法的 PowerShell 版本。(另请参阅如何使用 UserAccountControl 标志来操作用户帐户属性。)

Add-Type -TypeDefinition @"
/// <summary>
/// Flags that control the behavior of the user account.
/// </summary>
[System.Flags()]
public enum UserAccountControl : int
{
    /// <summary>
    /// The logon script is executed. This flag does not work for the ADSI LDAP provider on either read or write operations. For 
    /// the ADSI WinNT provider, this flag is read-only data, and it cannot be set for user objects.
    ///</summary>
    SCRIPT = 0x00000001,

    /// <summary>
    /// The user account is disabled. 
    ///</summary>
    ACCOUNTDISABLE = 0x00000002,

    /// <summary>
    /// The home directory is required. 
    ///</summary>
    HOMEDIR_REQUIRED = 0x00000008,

    /// <summary>
    /// The account is currently locked out. 
    ///</summary>
    LOCKOUT = 0x00000010,

    /// <summary>
    /// No password is required. 
    ///</summary>
    PASSWD_NOTREQD = 0x00000020,

    /// <summary>
    /// The user cannot change the password. 
    ///</summary>
    /// <remarks>
    /// Note:  You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. 
    /// For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
    // </remarks>
    PASSWD_CANT_CHANGE = 0x00000040,

    /// <summary>
    /// The user can send an encrypted password. 
    ///</summary>
    ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x00000080,

    /// <summary>
    /// This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not 
    /// to any domain that trusts this domain. Also known as a local user account. 
    ///</summary>
    TEMP_DUPLICATE_ACCOUNT = 0x00000100,

    /// <summary>
    /// This is a default account type that represents a typical user. 
    ///</summary>
    NORMAL_ACCOUNT = 0x00000200,

    /// <summary>
    /// This is a permit to trust account for a system domain that trusts other domains. 
    ///</summary>
    INTERDOMAIN_TRUST_ACCOUNT = 0x00000800,

    /// <summary>
    /// This is a computer account for a computer that is a member of this domain. 
    ///</summary>
    WORKSTATION_TRUST_ACCOUNT = 0x00001000,

    /// <summary>
    /// This is a computer account for a system backup domain controller that is a member of this domain. 
    ///</summary>
    SERVER_TRUST_ACCOUNT = 0x00002000,

    /// <summary>
    /// Not used. 
    ///</summary>
    Unused1 = 0x00004000,

    /// <summary>
    /// Not used. 
    ///</summary>
    Unused2 = 0x00008000,

    /// <summary>
    /// The password for this account will never expire. 
    ///</summary>
    DONT_EXPIRE_PASSWD = 0x00010000,

    /// <summary>
    /// This is an Majority Node Set (MNS) logon account. With MNS, you can configure a multi-node Windows cluster without using a common shared disk. 
    ///</summary>
    MNS_LOGON_ACCOUNT = 0x00020000,

    /// <summary>
    /// The user must log on using a smart card. 
    ///</summary>
    SMARTCARD_REQUIRED = 0x00040000,

    /// <summary>
    /// The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service 
    /// can impersonate a client requesting the service. 
    ///</summary>
    TRUSTED_FOR_DELEGATION = 0x00080000,

    /// <summary>
    /// The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation. 
    ///</summary>
    NOT_DELEGATED = 0x00100000,

    /// <summary>
    /// Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys. 
    ///</summary>
    USE_DES_KEY_ONLY = 0x00200000,

    /// <summary>
    /// This account does not require Kerberos pre-authentication for logon. 
    ///</summary>
    DONT_REQUIRE_PREAUTH = 0x00400000,

    /// <summary>
    /// The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy. 
    ///</summary>
    PASSWORD_EXPIRED = 0x00800000,

    /// <summary>
    /// The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly 
    /// controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to 
    /// other remote servers on the network.
    ///</summary>
    TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x01000000,

    /// <summary>
    /// (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). This is a security-sensitive 
    /// setting. Removing this setting from an RODC compromises security on that server.
    /// </summary>
    PARTIAL_SECRETS_ACCOUNT = 0x04000000,

    /// <summary>
    /// 
    /// </summary>
    USE_AES_KEYS = 0x08000000
}
"@

下面的 PowerShell 代码演示了如何使用这种类型。

# This is how you convert an integer to a UserAccountControl value
[int] $userAccountControlValue = 544
[UserAccountControl] $userAccountControl = [UserAccountControl] $userAccountControlValue

# This is how you can build an account value up from the flags
[UserAccountControl] $userAccountControl = [UserAccountControl]::NORMAL_ACCOUNT -bor [UserAccountControl]::PASSWD_NOTREQD

# Alternatively, PowerShell will allow you to cast a string containing valid flags separated by commas directly into UserAccountControl
[UserAccountControl] $userAccountControl = [UserAccountControl] "NORMAL_ACCOUNT, PASSWD_NOTREQD"

# This is how you would add a flag to an existing value
$userAccountControl = $userAccountControl -bor [UserAccountControl]::DONT_EXPIRE_PASSWD

# This gets a comma separated string of the flag names that apply.
[string] $userAccountControlFlagNames = $userAccountControl.ToString()

# This is how you test for an individual flag.
[bool] $isNormalAccount = ($userAccountControl -band [UserAccountControl]::NORMAL_ACCOUNT) -eq [UserAccountControl]::NORMAL_ACCOUNT
[bool] $isAccountDisabled = ($userAccountControl -band [UserAccountControl]::ACCOUNTDISABLE) -eq [UserAccountControl]::ACCOUNTDISABLE
[bool] $isAccountLockedOut = ($userAccountControl -band [UserAccountControl]::LOCKOUT) -eq [UserAccountControl]::LOCKOUT
[bool] $dontExpirePassword = ($userAccountControl -band [UserAccountControl]::DONT_EXPIRE_PASSWD) -eq [UserAccountControl]::DONT_EXPIRE_PASSWD

# The results are easily used to do things.
if ($isAccountDisabled -eq $true)
{
    # Do something about it.
}

# The results are also easy to output.
"The account flags are $userAccountControlFlagNames."

"Is this a normal account? $isNormalAccount"
"Is the account disabled? $isAccountDisabled"
"Is the account locked out? $isAccountLockedOut"
"Does the account password never expire? $dontExpirePassword"

此外,如果您使用 Windows PowerShell Get-ADUser commandlet 的 Active Directory 模块,则可以使用以下代码快速查看解码的标志:

Get-ADUser username -Properties userAccountConrol | Select *, @{ name = 'userAccountControlFlags'; expression = { [UserAccountControl] $_.userAccountControl } }

您还可以使用它来执行诸如搜索特定标志组合之类的操作:

[UserAccountControl] $desiredFlags = "NORMAL_ACCOUNT, ACCOUNTDISABLE"

# You can search for specific flags like this
$filter = "objectCategory -eq 'person' -and objectClass -eq 'user' -and (userAccountControl -band $([int] $desiredFlags))"
$users = Get-ADUser -Filter $filter -Property userAccountControl
$users | Select *, @{ name = 'userAccountControlFlags'; expression = { [UserAccountControl] $_.userAccountControl } }

# or you can search for the desired flags more efficiently using an LDAP filter.
$ldapFilter = "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=$([int] $desiredFlags)))"
$users = Get-ADUser -LDAPFilter $ldapFilter -Property userAccountControl
$users | Select *, @{ name = 'userAccountControlFlags'; expression = { [UserAccountControl] $_.userAccountControl } }
于 2014-11-13T00:10:53.157 回答
0

您的代码中似乎也有一些错误。我会使用:

function test {
param([string]$value)

$flags = @("","ACCOUNTDISABLE","", "HOMEDIR_REQUIRED",
        "LOCKOUT", "PASSWD_NOTREQD","PASSWD_CANT_CHANGE", "ENCRYPTED_TEXT_PWD_ALLOWED",
        "TEMP_DUPLICATE_ACCOUNT", "NORMAL_ACCOUNT", "","INTERDOMAIN_TRUST_ACCOUNT", "WORKSTATION_TRUST_ACCOUNT",
        "SERVER_TRUST_ACCOUNT", "", "", "DONT_EXPIRE_PASSWORD", "MNS_LOGON_ACCOUNT", "SMARTCARD_REQUIRED",
        "TRUSTED_FOR_DELEGATION", "NOT_DELEGATED","USE_DES_KEY_ONLY", "DONT_REQ_PREAUTH",
        "PASSWORD_EXPIRED", "TRUSTED_TO_AUTH_FOR_DELEGATION")

    ## output bit flag-number (disabled atm.)   
    #(1..$flags.length) | ? {$flags[$_] -match $value}

    ## value
    (1..$flags.length) | ? {$flags[$_] -match $value} | % {[Math]::Pow(2,$_)}
}

test "HOMEDIR_REQUIRED"

输出:

8
于 2012-12-18T12:14:14.190 回答