I wrote this script recently to return all applicable flags from the UserAccountControl attribute of an object.
I hope this may be of use to someone. Any comments would be appreciated.
Option Explicit
Dim ACCList
Dim AccountControl
Dim objMember
Dim Object
Dim Item
Dim SCRIPTv
Dim ACCOUNTDISABLEv
Dim HOMEDIR_REQUIREDv
Dim LOCKOUTv
Dim PASSWD_NOTREQDv
Dim PASSWD_CANT_CHANGEv
Dim ENCRYPTED_TEXT_PWD_ALLOWEDv
Dim TEMP_DUPLICATE_ACCOUNTv
Dim NORMAL_ACCOUNTv
Dim INTERDOMAIN_TRUST_ACCOUNTv
Dim WORKSTATION_TRUST_ACCOUNTv
Dim SERVER_TRUST_ACCOUNTv
Dim DONT_EXPIRE_PASSWORDv
Dim MNS_LOGON_ACCOUNTv
Dim SMARTCARD_REQUIREDv
Dim TRUSTED_FOR_DELEGATIONv
Dim NOT_DELEGATEDv
Dim USE_DES_KEY_ONLYv
Dim DONT_REQ_PREAUTHv
Dim PASSWORD_EXPIREDv
Dim TRUSTED_TO_AUTH_FOR_DELEGATIONv
'_____________________________________________
SCRIPTv = "The logon script will be run."
ACCOUNTDISABLEv = "The account is disabled."
HOMEDIR_REQUIREDv = "The home folder is required."
LOCKOUTv = "This account is locked out."
PASSWD_NOTREQDv = "No password is required."
PASSWD_CANT_CHANGEv = "The user cannot change the password. This is a permission on the user's object."
ENCRYPTED_TEXT_PWD_ALLOWEDv = "The user can send an encrypted password."
TEMP_DUPLICATE_ACCOUNTv = "This is an account for users whose primary account is in " _
& "another domain. This account provides user access to this " _
& "domain, but not to any domain that trusts this domain. " _
& "This is sometimes referred to as a local user account."
NORMAL_ACCOUNTv = "This is a default account type that represents a typical user."
INTERDOMAIN_TRUST_ACCOUNTv = "This is a permit to trust an account for a system domain that trusts other domains. "
WORKSTATION_TRUST_ACCOUNTv = "This is a computer account for a computer that is running " _
& "Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, " _
& "Microsoft Windows 2000 Professional, or Windows 2000 Server and " _
& "is a member of this domain."
SERVER_TRUST_ACCOUNTv = "This is a computer account for a domain controller that is a member of this domain."
DONT_EXPIRE_PASSWORDv = "The password will never expire on the account."
MNS_LOGON_ACCOUNTv = "This is an MNS logon account."
SMARTCARD_REQUIREDv = "User will be forced to log on by using a smart card."
TRUSTED_FOR_DELEGATIONv = "The service account (the user or computer account) " _
& "under which a service runs is trusted for Kerberos delegation. Any such " _
& "service can impersonate a client requesting the service."
NOT_DELEGATEDv = "The security context of the user is not " _
& "delegated to a service even if the service account is set as " _
& "trusted for Kerberos delegation."
USE_DES_KEY_ONLYv = "(Windows 2000/Windows Server 2003) Restrict this principal to use only " _
& "Data Encryption Standard (DES) encryption types for keys. "
DONT_REQ_PREAUTHv = "(Windows 2000/Windows Server 2003) This account does not require " _
& "Kerberos pre-authentication for logging on."
PASSWORD_EXPIREDv = "The object's password has expired."
TRUSTED_TO_AUTH_FOR_DELEGATIONv = "(Windows 2000/Windows Server 2003) The account is enabled for delegation. " _
& "This is a security-sensitive setting. Accounts with this option enabled " _
& "should be tightly controlled. This setting allows a service that runs under " _
& "the account to assume a client's identity and authenticate as that user to " _
& "other remote servers on the network."
Object = "CN=SomeObject,OU=SomeOU,DC=your,DC=companies,DC=domain,DC=com"
ACCList = Array("SCRIPTv", "ACCOUNTDISABLEv", "HOMEDIR_REQUIREDv", "LOCKOUTv", "PASSWD_NOTREQDv", _
"PASSWD_CANT_CHANGEv", "ENCRYPTED_TEXT_PWD_ALLOWEDv", "TEMP_DUPLICATE_ACCOUNTv", _
"NORMAL_ACCOUNTv", "INTERDOMAIN_TRUST_ACCOUNTv", "WORKSTATION_TRUST_ACCOUNTv", _
"SERVER_TRUST_ACCOUNTv", "DONT_EXPIRE_PASSWORDv", "MNS_LOGON_ACCOUNTv", _
"SMARTCARD_REQUIREDv", "TRUSTED_FOR_DELEGATIONv", "NOT_DELEGATEDv", "USE_DES_KEY_ONLYv", _
"DONT_REQ_PREAUTHv", "PASSWORD_EXPIREDv", "TRUSTED_TO_AUTH_FOR_DELEGATIONv")
'_____________________________________________
Set objMember = GetObject("LDAP://" & Object)
wscript.echo "Display Name: " & objMember.DisplayName
wscript.echo "SamAccountName: " & objMember.SamAccountName
wscript.echo "________________________________"
AccountControl = UACC(objMember.UserAccountControl)
For each Item in ACCList
If Instr(AccountControl, Item) > 0 Then
Wscript.echo Eval(Item)
End If
Next
'_____________________________________________
function UACC(ACNum)
Dim ObjStatus
CONST SCRIPT = &H1
CONST ACCOUNTDISABLE = &H2
CONST HOMEDIR_REQUIRED = &H8
CONST LOCKOUT = &H10
CONST PASSWD_NOTREQD = &H20
CONST PASSWD_CANT_CHANGE = &H40
CONST ENCRYPTED_TEXT_PWD_ALLOWED = &H80
CONST TEMP_DUPLICATE_ACCOUNT = &H100
CONST NORMAL_ACCOUNT = &H200
CONST INTERDOMAIN_TRUST_ACCOUNT = &H800
CONST WORKSTATION_TRUST_ACCOUNT = &H1000
CONST SERVER_TRUST_ACCOUNT = &H2000
CONST DONT_EXPIRE_PASSWORD = &H10000
CONST MNS_LOGON_ACCOUNT = &H20000
CONST SMARTCARD_REQUIRED = &H40000
CONST TRUSTED_FOR_DELEGATION = &H80000
CONST NOT_DELEGATED = &H100000
CONST USE_DES_KEY_ONLY = &H200000
CONST DONT_REQ_PREAUTH = &H400000
CONST PASSWORD_EXPIRED = &H800000
CONST TRUSTED_TO_AUTH_FOR_DELEGATION = &H1000000
If ACNum AND TRUSTED_TO_AUTH_FOR_DELEGATION Then
ObjStatus = "TRUSTED_TO_AUTH_FOR_DELEGATIONv" & "," & ObjStatus & ","
End If
If ACNum AND PASSWORD_EXPIRED Then
ObjStatus = "PASSWORD_EXPIREDv" & "," & ObjStatus & ","
End If
If ACNum AND DONT_REQ_PREAUTH Then
ObjStatus = "DONT_REQ_PREAUTHv" & "," & ObjStatus & ","
End If
If ACNum AND USE_DES_KEY_ONLY Then
ObjStatus = "USE_DES_KEY_ONLYv" & "," & ObjStatus & ","
End If
If ACNum AND NOT_DELEGATED Then
ObjStatus = "NOT_DELEGATEDv" & "," & ObjStatus & ","
End If
If ACNum AND TRUSTED_FOR_DELEGATION Then
ObjStatus = "TRUSTED_FOR_DELEGATIONv" & "," & ObjStatus & ","
End If
If ACNum AND SMARTCARD_REQUIRED Then
ObjStatus = "SMARTCARD_REQUIREDv" & "," & ObjStatus & ","
End If
If ACNum AND MNS_LOGON_ACCOUNT Then
ObjStatus = "MNS_LOGON_ACCOUNTv" & "," & ObjStatus & ","
End If
If ACNum AND DONT_EXPIRE_PASSWORD Then
ObjStatus = "DONT_EXPIRE_PASSWORDv" & "," & ObjStatus & ","
End If
If ACNum AND SERVER_TRUST_ACCOUNT Then
ObjStatus = "SERVER_TRUST_ACCOUNTv" & "," & ObjStatus & ","
End If
If ACNum AND WORKSTATION_TRUST_ACCOUNT Then
ObjStatus = "WORKSTATION_TRUST_ACCOUNTv" & "," & ObjStatus & ","
End If
If ACNum AND INTERDOMAIN_TRUST_ACCOUNT Then
ObjStatus = "INTERDOMAIN_TRUST_ACCOUNTv" & "," & ObjStatus & ","
End If
If ACNum AND NORMAL_ACCOUNT Then
ObjStatus = "NORMAL_ACCOUNTv" & "," & ObjStatus & ","
End If
If ACNum AND TEMP_DUPLICATE_ACCOUNT Then
ObjStatus = "TEMP_DUPLICATE_ACCOUNTv" & "," & ObjStatus & ","
End If
If ACNum AND ENCRYPTED_TEXT_PWD_ALLOWED Then
ObjStatus = "ENCRYPTED_TEXT_PWD_ALLOWEDv" & "," & ObjStatus & ","
End If
If ACNum AND PASSWD_CANT_CHANGE Then
ObjStatus = "PASSWD_CANT_CHANGEv" & "," & ObjStatus & ","
End If
If ACNum AND PASSWD_NOTREQD Then
ObjStatus = "PASSWD_NOTREQDv" & "," & ObjStatus & ","
End If
If ACNum AND LOCKOUT Then
ObjStatus = "LOCKOUTv" & "," & ObjStatus & ","
End If
If ACNum AND HOMEDIR_REQUIRED Then
ObjStatus = "HOMEDIR_REQUIREDv" & "," & ObjStatus & ","
End If
If ACNum AND ACCOUNTDISABLE Then
ObjStatus = "ACCOUNTDISABLEv" & "," & ObjStatus & ","
End If
If ACNum AND SCRIPT Then
ObjStatus = "SCRIPTv" & "," & ObjStatus & ","
End If
UACC = ObjStatus
End Function