Brady
A moan, a groan, my life story and how me, a technically minded person just can't seem to fit in with anybody.

PHP – Active Directory – Reading UserAccountControl

At the moment I’m doing a lot of work with Microsoft Active Directory and PHP. I’m building a few tools in PHP which reads data out of AD.

Now one of the things I wanted to read out was to see if the account was locked or if its password never expired. I couldn’t find these entries in AD but after searching those entries are stored in “useraccountcontrol”. But when I looked it was just a number. How does that number tell you if the account is locked?

http://msdn.microsoft.com/en-us/library/ms680832(VS.85).aspx

On the above link is how that number is generated and once I understood that I got to work on writing a PHP script which translates that number into something more usable. Once I wrote the script I put it up on the Hot Scripts Forum to see if the code I wrote could be improved on and optimised. Here is what they came back with:

[PHP]
$userAccountArray = array(
‘ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION’ => 0,
‘ADS_UF_PASSWORD_EXPIRED’ => 0,
‘ADS_UF_DONT_REQUIRE_PREAUTH’ => 0,
‘ADS_UF_USE_DES_KEY_ONLY’ => 0,
‘ADS_UF_NOT_DELEGATED’ => 0,
‘ADS_UF_TRUSTED_FOR_DELEGATION’ => 0,
‘ADS_UF_SMARTCARD_REQUIRED’ => 0,
‘ADS_UF_MNS_LOGON_ACCOUNT’ => 0,
‘ADS_UF_DONT_EXPIRE_PASSWD’ => 0,
‘NOT_USED_8000′ => 0,
‘NOT_USED_4000′ => 0,
‘ADS_UF_SERVER_TRUST_ACCOUNT’ => 0,
‘ADS_UF_WORKSTATION_TRUST_ACCOUNT’ => 0,
‘ADS_UF_INTERDOMAIN_TRUST_ACCOUNT’ => 0,
‘ADS_UF_NORMAL_ACCOUNT’ => 0,
‘ADS_UF_TEMP_DUPLICATE_ACCOUNT’ => 0,
‘ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED’ => 0,
‘ADS_UF_PASSWD_CANT_CHANGE’ => 0,
‘ADS_UF_PASSWD_NOTREQD’ => 0,
‘ADS_UF_LOCKOUT’ => 0,
‘ADS_UF_HOMEDIR_REQUIRED’ => 0,
‘NOT_USED_4′ => 0,
‘ADS_UF_ACCOUNTDISABLE’ => 0,
‘ADS_UF_SCRIPT’ => 0
);

function ADUserAccountControl($val) {
global $userAccountArray;
$x = pow(2, count($userAccountArray) – 1);
foreach($userAccountArray as $k => $v) {
if(($val – $x) >= 0){
$userAccountArray[$k] = 1;
$val -= $x;
} else {
$userAccountArray[$k] = 0;
}
$x = $x / 2;
}
}
[/PHP]

Simply pass your useraccountcontrol value to the function and read the results out of the array.