How to read userAccountControl

Question

I need to know if an account is:

• Enabled/Disabled
• Locked/Unlocked
• Password expires / never expires
• Password can be changed / can't be changed
• Password required / No password required

from which userAccountControl values can I know that the account is one of the above?

Answer 1

userAccountControl is the field in Active Directory that contains these bit values. You can use an LDAP Query to find accounts that meet whatever criteria you want on that field using the values found in Brian's response before mine. Here is an example that checks if the specified user is disabled.

public bool checkDisabled(string domainFQDN, string alias)
{
    bool disabled = false;

    try
    {
        using (DirectoryEntry domainDE = new DirectoryEntry("LDAP://" + domainFQDN, "domain\\cn", "password", AuthenticationTypes.Secure))
        {
            using (DirectorySearcher searcher = new DirectorySearcher(domainDE))
            {
                searcher.Filter = String.Format("(&(objectClass=user)(cn={0})(userAccountControl:1.2.840.113556.1.4.803:=2))", alias);
                disabled = (searcher.FindOne() != null);
            }
        }
    }
    catch (Exception ex)
    {
        EventLog.WriteEntry("source name", MethodBase.GetCurrentMethod().DeclaringType + "." + MethodBase.GetCurrentMethod().Name + "\r\n\r\nUnable to get user's token groups for domain: " + domainFQDN + " user: " + alias + "\r\n\r\n" + ex.Message, EventLogEntryType.Error);
    }

    return disabled;
} 

Answer 2

This field is a bitmask. You can look at https://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx to see the various fields.