Query msDS-User-Account-Control-Computed with PowerShell built-in tools/modules

Question

I want to query the msDS-User-Account-Control-Computed attribute of an Active Directory user account by using PowerShell with built-in tools/modules. That means I cannot use cmdlets like Get-ADUser. I am using the DirectorySearcher class/adsisearcher instead.

I try to query it like this from my domain-joined computer, where I am logged on as a regular domain user:

$ldapquery = [adsisearcher] "(sAMAccountName=$env:USERNAME)"
$ldapquery.PropertiesToLoad.Add('msDS-User-Account-Control-Computed') | Out-Null
$account = $ldapquery.FindOne()
$account.Properties['msDS-User-Account-Control-Computed']

The code seems to query the attribute, but it prints 0. It should be 512 for a regular user^[1]. If I use GetDirectoryEntry() on the account to get all of its properties, the msDS-User-Account-Control-Computed attribute is not part of it:

$account.GetDirectoryEntry() | Format-List *

Trying to query it with a SearchScope of Base does also not seem to work:

$ldapquery = [adsisearcher] "(sAMAccountName=$env:USERNAME)"
$account = $ldapquery.FindOne()

$ldapquery2 = [adsisearcher] "(distinguishedName=$($account.Properties['distinguishedName'][0]))"
$ldapquery2.PropertiesToLoad.Add('msDS-User-Account-Control-Computed') | Out-Null
$ldapquery2.SearchRoot = $account.Path
$ldapquery2.SearchScope = [System.DirectoryServices.SearchScope]::Base
$account2 = $ldapquery2.FindOne()
$account2.Properties['msDS-User-Account-Control-Computed']

It prints 0, too.

---

^{[1] If I query userAccountControl instead of msDS-User-Account-Control-Computed, it prints 512. But I really need msDS-User-Account-Control-Computed as it contains more flags: In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed. For more information about this new attribute, see ms-DS-User-Account-Control-Computed attribute.}