jangins101 · March 6, 2024 15:56
diff --git a/Powershell.Check-UserFlagsEnum.ps1 b/Powershell.Check-UserFlagsEnum.ps1
 function Check-UserFlagsEnum([int]$int) {
    # REF: https://msdn.microsoft.com/en-us/library/windows/desktop/aa772300
    $result = @();

    $flags = @{
        0x1       = @{Name = "ADS_UF_SCRIPT";                                 Description = "The logon script is executed. This flag does not work for the ADSI LDAP provider on either read or write operations. For the ADSI WinNT provider, this flag is read-only data, and it cannot be set for user objects."};
        0x2       = @{Name = "ADS_UF_ACCOUNTDISABLE";                         Description = "The user account is disabled."};
        0x8       = @{Name = "ADS_UF_HOMEDIR_REQUIRED";                       Description = "The home directory is required."};
        0x10      = @{Name = "ADS_UF_LOCKOUT";                                Description = "The account is currently locked out."};
        0x20      = @{Name = "ADS_UF_PASSWD_NOTREQD";                         Description = "No password is required."};
        0x40      = @{Name = "ADS_UF_PASSWD_CANT_CHANGE";                     Description = "The user cannot change the password. This flag can be read, but not set directly."};
        0x80      = @{Name = "ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED";        Description = "The user can send an encrypted password."};
        0x100     = @{Name = "ADS_UF_TEMP_DUPLICATE_ACCOUNT";                 Description = "This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. Also known as a local user account."};
        0x200     = @{Name = "ADS_UF_NORMAL_ACCOUNT";                         Description = "This is a default account type that represents a typical user."};
        0x800     = @{Name = "ADS_UF_INTERDOMAIN_TRUST_ACCOUNT";              Description = "This is a permit to trust account for a system domain that trusts other domains."};
        0x1000    = @{Name = "ADS_UF_WORKSTATION_TRUST_ACCOUNT";              Description = "This is a computer account for a Windows or Windows Server that is a member of this domain."};
        0x2000    = @{Name = "ADS_UF_SERVER_TRUST_ACCOUNT";                   Description = "This is a computer account for a system backup domain controller that is a member of this domain."};
        0x10000   = @{Name = "ADS_UF_DONT_EXPIRE_PASSWD";                     Description = "When set, the password will not expire on this account."};
        0x20000   = @{Name = "ADS_UF_MNS_LOGON_ACCOUNT";                      Description = "This is an Majority Node Set (MNS) logon account. With MNS, you can configure a multi-node Windows cluster without using a common shared disk."};
        0x40000   = @{Name = "ADS_UF_SMARTCARD_REQUIRED";                     Description = "When set, this flag will force the user to log on using a smart card."};
        0x80000   = @{Name = "ADS_UF_TRUSTED_FOR_DELEGATION";                 Description = "When set, the service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, set this flag on the userAccountControl property of the service account."};
        0x100000  = @{Name = "ADS_UF_NOT_DELEGATED";                          Description = "When set, the security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation."};
        0x200000  = @{Name = "ADS_UF_USE_DES_KEY_ONLY";                       Description = "Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys."};
        0x400000  = @{Name = "ADS_UF_DONT_REQUIRE_PREAUTH";                   Description = "This account does not require Kerberos preauthentication for logon."};
        0x800000  = @{Name = "ADS_UF_PASSWORD_EXPIRED";                       Description = "The user password has expired. This flag is created by the system using data from the password last set attribute and the domain policy. It is read-only and cannot be set."};
        0x1000000 = @{Name = "ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION"; Description = "The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network."}
    };
    $flags.keys | %{
        if ($int -band $_) {
            $result += $flags[$_];
        }
    }
    return $result;
 }
	function Check-UserFlagsEnum([int]$int) {
	# REF: https://msdn.microsoft.com/en-us/library/windows/desktop/aa772300
	$result = @();

	$flags = @{
	0x1 = @{Name = "ADS_UF_SCRIPT"; Description = "The logon script is executed. This flag does not work for the ADSI LDAP provider on either read or write operations. For the ADSI WinNT provider, this flag is read-only data, and it cannot be set for user objects."};
	0x2 = @{Name = "ADS_UF_ACCOUNTDISABLE"; Description = "The user account is disabled."};
	0x8 = @{Name = "ADS_UF_HOMEDIR_REQUIRED"; Description = "The home directory is required."};
	0x10 = @{Name = "ADS_UF_LOCKOUT"; Description = "The account is currently locked out."};
	0x20 = @{Name = "ADS_UF_PASSWD_NOTREQD"; Description = "No password is required."};
	0x40 = @{Name = "ADS_UF_PASSWD_CANT_CHANGE"; Description = "The user cannot change the password. This flag can be read, but not set directly."};
	0x80 = @{Name = "ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED"; Description = "The user can send an encrypted password."};
	0x100 = @{Name = "ADS_UF_TEMP_DUPLICATE_ACCOUNT"; Description = "This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. Also known as a local user account."};
	0x200 = @{Name = "ADS_UF_NORMAL_ACCOUNT"; Description = "This is a default account type that represents a typical user."};
	0x800 = @{Name = "ADS_UF_INTERDOMAIN_TRUST_ACCOUNT"; Description = "This is a permit to trust account for a system domain that trusts other domains."};
	0x1000 = @{Name = "ADS_UF_WORKSTATION_TRUST_ACCOUNT"; Description = "This is a computer account for a Windows or Windows Server that is a member of this domain."};
	0x2000 = @{Name = "ADS_UF_SERVER_TRUST_ACCOUNT"; Description = "This is a computer account for a system backup domain controller that is a member of this domain."};
	0x10000 = @{Name = "ADS_UF_DONT_EXPIRE_PASSWD"; Description = "When set, the password will not expire on this account."};
	0x20000 = @{Name = "ADS_UF_MNS_LOGON_ACCOUNT"; Description = "This is an Majority Node Set (MNS) logon account. With MNS, you can configure a multi-node Windows cluster without using a common shared disk."};
	0x40000 = @{Name = "ADS_UF_SMARTCARD_REQUIRED"; Description = "When set, this flag will force the user to log on using a smart card."};
	0x80000 = @{Name = "ADS_UF_TRUSTED_FOR_DELEGATION"; Description = "When set, the service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, set this flag on the userAccountControl property of the service account."};
	0x100000 = @{Name = "ADS_UF_NOT_DELEGATED"; Description = "When set, the security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation."};
	0x200000 = @{Name = "ADS_UF_USE_DES_KEY_ONLY"; Description = "Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys."};
	0x400000 = @{Name = "ADS_UF_DONT_REQUIRE_PREAUTH"; Description = "This account does not require Kerberos preauthentication for logon."};
	0x800000 = @{Name = "ADS_UF_PASSWORD_EXPIRED"; Description = "The user password has expired. This flag is created by the system using data from the password last set attribute and the domain policy. It is read-only and cannot be set."};
	0x1000000 = @{Name = "ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION"; Description = "The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network."}
	};
	$flags.keys \| %{
	if ($int -band $_) {
	$result += $flags[$_];
	}
	}
	return $result;
	}
No results found