这是执行用户帐户控制操作的另一种方法,我觉得它最终比其他建议的方法更清洁、更通用。这是我在回答Active Directory中的userAccountControl 时提供的相同方法的 PowerShell 版本。(另请参阅如何使用 UserAccountControl 标志来操作用户帐户属性。)
Add-Type -TypeDefinition @"
/// <summary>
/// Flags that control the behavior of the user account.
/// </summary>
[System.Flags()]
public enum UserAccountControl : int
{
/// <summary>
/// The logon script is executed. This flag does not work for the ADSI LDAP provider on either read or write operations. For
/// the ADSI WinNT provider, this flag is read-only data, and it cannot be set for user objects.
///</summary>
SCRIPT = 0x00000001,
/// <summary>
/// The user account is disabled.
///</summary>
ACCOUNTDISABLE = 0x00000002,
/// <summary>
/// The home directory is required.
///</summary>
HOMEDIR_REQUIRED = 0x00000008,
/// <summary>
/// The account is currently locked out.
///</summary>
LOCKOUT = 0x00000010,
/// <summary>
/// No password is required.
///</summary>
PASSWD_NOTREQD = 0x00000020,
/// <summary>
/// The user cannot change the password.
///</summary>
/// <remarks>
/// Note: You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute.
/// For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
// </remarks>
PASSWD_CANT_CHANGE = 0x00000040,
/// <summary>
/// The user can send an encrypted password.
///</summary>
ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x00000080,
/// <summary>
/// This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not
/// to any domain that trusts this domain. Also known as a local user account.
///</summary>
TEMP_DUPLICATE_ACCOUNT = 0x00000100,
/// <summary>
/// This is a default account type that represents a typical user.
///</summary>
NORMAL_ACCOUNT = 0x00000200,
/// <summary>
/// This is a permit to trust account for a system domain that trusts other domains.
///</summary>
INTERDOMAIN_TRUST_ACCOUNT = 0x00000800,
/// <summary>
/// This is a computer account for a computer that is a member of this domain.
///</summary>
WORKSTATION_TRUST_ACCOUNT = 0x00001000,
/// <summary>
/// This is a computer account for a system backup domain controller that is a member of this domain.
///</summary>
SERVER_TRUST_ACCOUNT = 0x00002000,
/// <summary>
/// Not used.
///</summary>
Unused1 = 0x00004000,
/// <summary>
/// Not used.
///</summary>
Unused2 = 0x00008000,
/// <summary>
/// The password for this account will never expire.
///</summary>
DONT_EXPIRE_PASSWD = 0x00010000,
/// <summary>
/// This is an Majority Node Set (MNS) logon account. With MNS, you can configure a multi-node Windows cluster without using a common shared disk.
///</summary>
MNS_LOGON_ACCOUNT = 0x00020000,
/// <summary>
/// The user must log on using a smart card.
///</summary>
SMARTCARD_REQUIRED = 0x00040000,
/// <summary>
/// The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service
/// can impersonate a client requesting the service.
///</summary>
TRUSTED_FOR_DELEGATION = 0x00080000,
/// <summary>
/// The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.
///</summary>
NOT_DELEGATED = 0x00100000,
/// <summary>
/// Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
///</summary>
USE_DES_KEY_ONLY = 0x00200000,
/// <summary>
/// This account does not require Kerberos pre-authentication for logon.
///</summary>
DONT_REQUIRE_PREAUTH = 0x00400000,
/// <summary>
/// The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.
///</summary>
PASSWORD_EXPIRED = 0x00800000,
/// <summary>
/// The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly
/// controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to
/// other remote servers on the network.
///</summary>
TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x01000000,
/// <summary>
/// (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). This is a security-sensitive
/// setting. Removing this setting from an RODC compromises security on that server.
/// </summary>
PARTIAL_SECRETS_ACCOUNT = 0x04000000,
/// <summary>
///
/// </summary>
USE_AES_KEYS = 0x08000000
}
"@
下面的 PowerShell 代码演示了如何使用这种类型。
# This is how you convert an integer to a UserAccountControl value
[int] $userAccountControlValue = 544
[UserAccountControl] $userAccountControl = [UserAccountControl] $userAccountControlValue
# This is how you can build an account value up from the flags
[UserAccountControl] $userAccountControl = [UserAccountControl]::NORMAL_ACCOUNT -bor [UserAccountControl]::PASSWD_NOTREQD
# Alternatively, PowerShell will allow you to cast a string containing valid flags separated by commas directly into UserAccountControl
[UserAccountControl] $userAccountControl = [UserAccountControl] "NORMAL_ACCOUNT, PASSWD_NOTREQD"
# This is how you would add a flag to an existing value
$userAccountControl = $userAccountControl -bor [UserAccountControl]::DONT_EXPIRE_PASSWD
# This gets a comma separated string of the flag names that apply.
[string] $userAccountControlFlagNames = $userAccountControl.ToString()
# This is how you test for an individual flag.
[bool] $isNormalAccount = ($userAccountControl -band [UserAccountControl]::NORMAL_ACCOUNT) -eq [UserAccountControl]::NORMAL_ACCOUNT
[bool] $isAccountDisabled = ($userAccountControl -band [UserAccountControl]::ACCOUNTDISABLE) -eq [UserAccountControl]::ACCOUNTDISABLE
[bool] $isAccountLockedOut = ($userAccountControl -band [UserAccountControl]::LOCKOUT) -eq [UserAccountControl]::LOCKOUT
[bool] $dontExpirePassword = ($userAccountControl -band [UserAccountControl]::DONT_EXPIRE_PASSWD) -eq [UserAccountControl]::DONT_EXPIRE_PASSWD
# The results are easily used to do things.
if ($isAccountDisabled -eq $true)
{
# Do something about it.
}
# The results are also easy to output.
"The account flags are $userAccountControlFlagNames."
"Is this a normal account? $isNormalAccount"
"Is the account disabled? $isAccountDisabled"
"Is the account locked out? $isAccountLockedOut"
"Does the account password never expire? $dontExpirePassword"
此外,如果您使用 Windows PowerShell Get-ADUser commandlet 的 Active Directory 模块,则可以使用以下代码快速查看解码的标志:
Get-ADUser username -Properties userAccountConrol | Select *, @{ name = 'userAccountControlFlags'; expression = { [UserAccountControl] $_.userAccountControl } }
您还可以使用它来执行诸如搜索特定标志组合之类的操作:
[UserAccountControl] $desiredFlags = "NORMAL_ACCOUNT, ACCOUNTDISABLE"
# You can search for specific flags like this
$filter = "objectCategory -eq 'person' -and objectClass -eq 'user' -and (userAccountControl -band $([int] $desiredFlags))"
$users = Get-ADUser -Filter $filter -Property userAccountControl
$users | Select *, @{ name = 'userAccountControlFlags'; expression = { [UserAccountControl] $_.userAccountControl } }
# or you can search for the desired flags more efficiently using an LDAP filter.
$ldapFilter = "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=$([int] $desiredFlags)))"
$users = Get-ADUser -LDAPFilter $ldapFilter -Property userAccountControl
$users | Select *, @{ name = 'userAccountControlFlags'; expression = { [UserAccountControl] $_.userAccountControl } }