Reputation: 9302
PHP, Active Directory, User Account Control
First of appologies if this should be on server-fault, but it's to do with PHP as well, so I thought this the best site for it.
I'm creating a few methods to integrate our intranet with Active Directory. One of the methods will automatically search our database for new users, and create user accounts in AD if new users are found.
Likewise, if a user is marked as left in the database, it will automatically disable the account in active directory.
I've been looking at the attributes passed from active directory, and in particular the User Account Control field.
On the microsoft website it states this under its list of attributes:
The following table lists possible flags that you can assign. You cannot set some
of the values on a user or computer object because these values can be set or
reset only by the directory service. The flags are cumulative. To disable a
user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In
decimal, this is 514 (2 + 512).
Question My question is, if we use the example above, to mark a record as a user (512) and disabled (2), this ultimately makes the field value returned by AD as 514.
In PHP, how can I extract what flags have been marked on the record? For example, If given 514, how can I use PHP to work out that its a normal user account, and also disabled (2 and 512)?
For example split the following:
Flag | Splits into | Flag Meaning
--------+------------------+---------------------------------------------------------
514 | 512 + 2 | Normal User Account + Disabled
522 | 512 + 2 + 8 | Normal User Account + Disabled + Home Directory Required
8389120 | 8388608 + 512 | Password Expired + Normal User Account
I hope you can understand my question, but feel free to ask for confirmation or more details.
Many thanks
Upvotes: 8
Views: 6689
Answers (4)
Reputation: 319
I think that even though the original post asks in a general way, the problem is specific to just certain flags that need to be checked. Using the very helpful list in Bill C's response:
$userAccountControl = 514; // Get this from AD
// using bitwise AND:
// this will be the right hand value if it's set, 0 if not
$isAccountDisabled = ($userAccountControl & 2) == 2;
$isNormalAccount = ($userAccountControl & 512) == 512;
And if the need is to update the value (which I think is the programmatic need of the original question, such as enabling the account):
$userAccountControl = 514; // Get this from AD
// using bitwise AND NOT:
// this will assure the right hand value is not set
$userAccountControl = $userAccountControl & ~2; // enable the account
// using bitwise OR:
// this will assure the right hand value is set
$userAccountControl = $userAccountControl | 512; // assure normal account
There is a nice abstract function example in the php bitwise operators docs that could be used to develop a generalized solution for AD flags: http://php.net/manual/en/language.operators.bitwise.php#108679.
Upvotes: 3
Reputation: 91
Adding to James Sloan's answer, here is the flag list :
public function findFlags($flag) {
$flags = array();
$flaglist = array(
1 => 'SCRIPT',
2 => 'ACCOUNTDISABLE',
8 => 'HOMEDIR_REQUIRED',
16 => 'LOCKOUT',
32 => 'PASSWD_NOTREQD',
64 => 'PASSWD_CANT_CHANGE',
128 => 'ENCRYPTED_TEXT_PWD_ALLOWED',
256 => 'TEMP_DUPLICATE_ACCOUNT',
512 => 'NORMAL_ACCOUNT',
2048 => 'INTERDOMAIN_TRUST_ACCOUNT',
4096 => 'WORKSTATION_TRUST_ACCOUNT',
8192 => 'SERVER_TRUST_ACCOUNT',
65536 => 'DONT_EXPIRE_PASSWORD',
131072 => 'MNS_LOGON_ACCOUNT',
262144 => 'SMARTCARD_REQUIRED',
524288 => 'TRUSTED_FOR_DELEGATION',
1048576 => 'NOT_DELEGATED',
2097152 => 'USE_DES_KEY_ONLY',
4194304 => 'DONT_REQ_PREAUTH',
8388608 => 'PASSWORD_EXPIRED',
16777216 => 'TRUSTED_TO_AUTH_FOR_DELEGATION',
67108864 => 'PARTIAL_SECRETS_ACCOUNT'
);
for ($i=0; $i<=26; $i++){
if ($flag & (1 << $i)){
array_push($flags, 1 << $i);
}
}
foreach($flags as $k=>&$v) {
$v = $v . ' ' . $flaglist[$v];
}
return $flags;
}
Upvotes: 9
Reputation: 388
Came upon the same situation today and it is more concise with:
$flag_to_find = 530;
$flags = array();
for ($i=0; $i<=26; $i++){
if ($flag_to_find & (1 << $i)){
array_push($flags, 1 << $i);
}
}
print_r($flags);
Upvotes: 3
Reputation: 9302
Ok, so after a lot of trial and error, I've worked out how to do it!
$bits = array(
'27' => 1, '26' => 2, '25' => 4, '24' => 8, '23' => 16, '22' => 32,
'21' => 64, '20' => 128, '19' => 256, '18' => 512, '17' => 1024,
'16' => 2048, '15' => 4096, '14' => 8192, '13' => 16328,
'12' => 32768, '11' => 65536, '10' => 131072, '9' => 262144,
'8' => 524288, '7' => 1048576, '6' => 2097152, '5' => 4194304,
'4' => 8388608, '3' => 16777216, '2' => 33554432, '1' => 67108864
);
$flag_to_find = 530; // Indicates a normal user account, which is disabled, and locked out
$binary = str_pad(decbin($flag_to_find), count($bits), 0, STR_PAD_LEFT);
$flags = array();
for($i=0; $i<strlen($binary); $i++)
{
if($binary[$i]==1)
{
$flags[] = $bits[$i+1];
}
}
print_r($flags);
// Outputs: 512: Normal User Account
16: Locked Out Account
2: Disabled Accout
It works by getting the decimal values of ALL possible flags in the UAC. There are 27 - I've assigned all values to the $bits array.
You then specify a flag to find.
Then convert the decimal value of the flag, to binary, and left pad it with 0.
Loop through each value in the binary string. If the iteration value is 1, get its associated flag decimal value from the $bits array.
All possible flags are then stored in the $flags array.
Hope this helps anyone in future with similar problems!
Upvotes: 1
Related Questions
- Authenticating in PHP using LDAP through Active Directory
- Connect an active directory or LDAP with PHP
- LDAP - Looking for a better way to manage users in PHP/Mysql
- php bind ldap to active directory
- LDAP users and web application
- PHP LDAP binding AD with the server's user account
- php Active Directory lookup
- Adding user via PHP:LDAP
- LDAP Authenticating user in PHP
- PHP LDAP Connection