Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 511
  • Last Modified:

How to determine if a flag has been set based on cumulative flag values

I'm trying to find out if a user in active directory has the option account never expires checked.

Microsoft documentation details the following userAccountControl flags:
SCRIPT                                                0x0001 1
ACCOUNTDISABLE                                0x0002 2
HOMEDIR_REQUIRED                              0x0008 8
LOCKOUT                                             0x0010 16
PASSWD_NOTREQD                                0x0020 32
PASSWD_CANT_CHANGE                        0x0040 64
ENCRYPTED_TEXT_PWD_ALLOWED         0x0080 128
TEMP_DUPLICATE_ACCOUNT                 0x0100 256
NORMAL_ACCOUNT                              0x0200 512
INTERDOMAIN_TRUST_ACCOUNT           0x0800 2048
WORKSTATION_TRUST_ACCOUNT            0x1000 4096
SERVER_TRUST_ACCOUNT                   0x2000 8192
DONT_EXPIRE_PASSWORD                  0x10000 65536
MNS_LOGON_ACCOUNT                        0x20000 131072
SMARTCARD_REQUIRED                     0x40000 262144
TRUSTED_FOR_DELEGATION               0x80000 524288
NOT_DELEGATED                               0x100000 1048576
USE_DES_KEY_ONLY                           0x200000 2097152
DONT_REQ_PREAUTH                        0x400000 4194304
PASSWORD_EXPIRED                           0x800000 8388608
TRUSTED_TO_AUTH_FOR_DELEGATION 0x1000000 16777216

Documentation states that the values are cumulative. So, a user who has a normal account and a dont expire password has the value 0x10200 or a decimal value of 66048. How can I then determine if a particular flag has been set?

Thanks!
0
afking8268
Asked:
afking8268
  • 2
1 Solution
 
frodomanCommented:
Use the "AND" operator to check for any specific value.

(66048 AND 65536 = 65536)

This will return true if the flag is set and false if not.

General form:

If (<cumvalue> and <testvalue>) = <testvalue> then true else false
0
 
gregoryyoungCommented:
actually those are defined as constants so that you can do ...

dim foo as boolean = yourval and constant > 0

but either way works ... the reason for comparing to 0 is that you could avoid a comparison by directly casting to a boolean if you really wanted to.

Greg
0
 
puranik_pCommented:
from what I understand..
If a user has a flag value of SCRIPT, ACCOUNTDISABLE, HOMEDIR_REQUIRED = 11
and you need to deside whether he's got a value for ACCOUNTDISABLE = True or not.

I'd do it this way...
Get the UserFlagValue.
Get ValueToCheck.

GetValueToCheck = 2 (in this case, for ACCOUNTDISABLE)

Now please excuse me for not doing datatype casting. (VB.Net)

Function CheckFlagValue(ByVal UserFlagValue, ByVal, GetValueToCheck) As Boolean

Dim i = 16777216 (max flag value)
While i >= 1
  If i <= UserFlagValue Then
    UserFlagValue = UserFlagValue - i
    If i = GetValueToCheck Then
      Return True
    End If
  End If

  i = (next flag value in descending order) (You may need to write anothe function to get next value here)
While End

Return False

End Function
0
 
gregoryyoungCommented:
Function CheckFlagValue(ByVal UserFlagValue, ByVal, GetValueToCheck) as boolean
    return (UserFlagValue AND GetValueTOCheck) = GetValueToCheck
end function
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now