Disabled AD Users Based on List

Question

I'm trying to write a simple script which will tell me what AD Users are Disabled in a List.

<#
512 = Enabled
514 = Disabled
66048 = Enabled, password never expires
66050 = Disabled, password never expires
#>


Write-Host "Enter Full File Path for User List"
$UserListPath = Read-Host "Path"

$Users = Get-Content $UserListPath

foreach ($user in $users) {
    $UAC = Get-Aduser -Identity $user -Properties "useraccountcontrol" | Select-Object -ExpandProperty "useraccountcontrol" | Out-String

    If($UAC -eq "514"){
        Write-Host "$user Is Disabled" -ForegroundColor Red
    }


    elseif ($UAC -eq "66050") {
        Write-Host "$user Is Disabled" -ForegroundColor Red
    }
}

Answer 1

You could even skip checking the useraccountcontrol property entirely, and look into the "Enabled" property.

Example:

$UAC = Get-Aduser -Identity $user -Properties "useraccountcontrol" | Select-Object -ExpandProperty "Enabled"

Unfortunately, i'm not a member of a domain, and don't have AD Cmdlets installed, but this should give you a True or False value back. (Unsure if string or boolean)

Answer 2

The userAccountControl attribute is a bit flag. That means that each digit of the binary number is a flag that has a different meaning.

So while a value of 514 and 66050 do mean disabled, there are lots of other decimal values that also mean it's disabled. What really makes the account disabled is if the second bit is 1. You can see this in the binary representation of those numbers:

514 = ‭001000000010‬

66050 = ‭00010000001000000010‬

The only sure way to determine that an account is disabled is by using a bitwise operator to check the right bit.

But there is also no point converting the userAccountControl to a string like you are.

So the inside of your loop should look something like this:

$UAC = (Get-Aduser -Identity $user -Properties "useraccountcontrol").useraccountcontrol

If ($UAC -band 2) {
    Write-Host "$user Is Disabled" -ForegroundColor Red
}