question

SylvainMALAGRE-1246 avatar image
0 Votes"
SylvainMALAGRE-1246 asked RichMatheisen-8856 answered

Bulk useraccountcontrol attribute

Hi,


I have a txt file with several ad accounts with the Name of each of one.

I would like to bulk change the useraccountcontrol attribute for all of them with the 512 value.

Could you helo me to do it please ?

Thank you

windows-server-powershellwindows-active-directory
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BillStewart avatar image BillStewart ·

Warning: You should not blindly set the userAccountControl attribute to 512 because userAccountControl is a number used as an array of on-off values. Setting it to a static numeric value will likely lose settings.

Instead you need to specify what on-off value for the users that you want to change, as RichMatheisen-8856 said.

0 Votes 0 ·

3 Answers

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered

Are you just trying to set the accounts to the "Enabled" status?

If so, see if this helps:

 Get-Content x:file.txt |
     ForEach-Object{
         $uname = $_    # needed because you can't use $_ in a "Catch" block for this value
         if ($user = Get-ADUser -Filter {Name -eq $uname}){
             Try{
                 $user | Set-ADUser -Enabled -ErrorAction STOP
             }
             Catch{
                 Write-Host "Failed to enable user '$uname'"
             }
         }
         else{
             Write-Host "Failed to find user '$uname'"
         }
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

IanXue-MSFT avatar image
0 Votes"
IanXue-MSFT answered BillStewart commented

Hi,

The Set-ADUser cmdlet can modify the properties of AD users for you.

 $file = 'C:\test\name.txt'
 Get-Content -Path $file | Get-ADUser | Set-ADUser -Replace @{useraccountcontrol=512}

You can refer to the link below for details about the useraccountcontrol property.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties

Best Regards,
Ian Xue
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BillStewart avatar image BillStewart ·

You should not do this as userAccountControl is a number used as a bitmap (each bit in the number is an on-off value).

0 Votes 0 ·
RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered

Here's an example of bad things that can happen when an array of bits, each of which have a special meaning, is mishandled:

 [uint32]$bitmap = 0x0002        # account disabled (2)
 $bitmap = $bitmap -bor 0x0400   # cannot change password (64)
 $bitmap = $bitmap -bor 0x010000 # password never expires (65536)
 ""
 [Convert]::ToString($bitmap,2)
 $bitmap = 0x0200                # Normal user (512)
 [Convert]::ToString($bitmap,2)

The original value is simply replaced instead of having just the one bit manipulated:

10000010000000010 <=== Before
1000000000 <=== After

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.