Displaying Password Attributes Accessible from userAccountControl

Microsoft® Windows® 2000 Scripting Guide

« Previous | Next »   

The LDAP provider can read the value of the userAccountControl attribute to determine:

• Whether a password is required.
• Whether the Password never expires option is enabled or disabled.
• Whether the Store password using reversible encryption option is enabled or disabled.

Scripting Steps

Listing 7.4 contains a script that displays the state of password flags in the userAccountControl attribute and the pwdLastSet attribute of a user account. To carry out this task, the script performs the following steps:

1. Create a Dictionary object to hold the value of the flags directly available from the userAccountControl attribute.
2. Define the name and the value of each flag in the Dictionary object.
3. Bind to the user account object by using the GetObject function and the LDAP provider.
4. Create the intUAC variable, and initialize it to the integer value of the userAccountControl attribute.
5. Create a loop, and use the bitwise AND operator to evaluate each flag value against the value of the userAccountControl attribute.
6. Display each flag name and whether it is enabled or disabled.

Listing 7.4   Displaying Password Attributes Available from the LDAP Provider and the userAccountControl Attribute

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 

Set objHash = CreateObject("Scripting.Dictionary") objHash.Add "ADS_UF_PASSWD_NOTREQD", &h00020 objHash.Add "ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED", &h0080 objHash.Add "ADS_UF_DONT_EXPIRE_PASSWD", &h10000 Set objUser = GetObject _     ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") intUAC = objUser.Get("userAccountControl") For Each Key In objHash.Keys     If objHash(Key) And intUAC Then         Wscript.Echo Key & " is enabled"     Else         Wscript.Echo Key & " is disabled"     End If Next

Send us your feedback

« Previous | Next »