LDAP userAccountControl atttribute

0
votes

In PowerShell I use the following LDAP query to retrieve the active directory properties of a host name:

$Filter = "(&(ObjectCategory=Computer)(ObjectClass=Computer)(CN=$ComputerName))"
if ($Found = ([ADSISEARCHER]$Filter).FindOne()) {
    $Details = $Found.GetDirectoryEntry()
}

Once I have these properties I would like to check if the computer account is disabled. The following LDAP query is allowing me to do that:

$Filter = "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=2)(CN=$ComputerName))"
([ADSISEARCHER]$Filter).FindOne()

What I would like to know is, how can I avoid using the second LDAP query and use the variable $Details from the first LDAP query to obtain $True or $False if the computer account is disabled?

I found some extra information but I can't seem to put the pieces together.

Thank you for your help.

1
powershellactive-directoryldap
Is it required to use LDAP queries or you may also use ActiveDirectory module in powershell? - Deptor
No, the ActiveDirectory isn't available. - DarkLite1

1 Answers

2
votes

The information you're looking for is encoded in the userAccountControl of the directory entry object. However, the property contains an array with a numeric value, so you need to check if the "disabled" flag (numeric value 2) in the first array element is set:

$disabled = [bool]($Details.userAccountControl[0] -band 2)