Active Directory UserAccountControl Details
Reference: https://support.microsoft.com/en-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
function Get-UserAccountControlDetail { [cmdletbinding()] PARAM( [int]$val ) $UACflagHash = @{ 1 = 'SCRIPT' 2 = 'ACCOUNTDISABLE' 8 = 'HOMEDIR_REQUIRED' 16 = 'LOCKOUT' 32 = 'PASSWD_NOTREQD' 64 = 'PASSWD_CANT_CHANGE' 128 = 'ENCRYPTED_TEXT_PWD_ALLOWED' 256 = 'TEMP_DUPLICATE_ACCOUNT' 512 = 'NORMAL_ACCOUNT' 2048 = 'INTERDOMAIN_TRUST_ACCOUNT' 4096 = 'WORKSTATION_TRUST_ACCOUNT' 8192 = 'SERVER_TRUST_ACCOUNT' 65536 = 'DONT_EXPIRE_PASSWORD' 131072 = 'MNS_LOGON_ACCOUNT' 262144 = 'SMARTCARD_REQUIRED' 524288 = 'TRUSTED_FOR_DELEGATION' 1048576 = 'NOT_DELEGATED' 2097152 = 'USE_DES_KEY_ONLY' 4194304 = 'DONT_REQ_PREAUTH' 8388608 = 'PASSWORD_EXPIRED' 16777216 = 'TRUSTED_TO_AUTH_FOR_DELEGATION' 67108864 = 'PARTIAL_SECRETS_ACCOUNT' } $desc = @() foreach($obj in ($UACflagHash.GetEnumerator() | sort name)){ if($val -band $obj.name){ Write-Verbose "$val bitwise and match `n$(($obj | Out-String).trim())`n" $desc += $UACflagHash[$obj.name] } } $desc -join " | " } #Get all AD objects that have a value for useraccountcontrol $allobjects = get-adobject -LDAPFilter "(useraccountcontrol=*)" -prop useraccountcontrol,canonicalname,objectcategory,samaccountname $allobjects | group useraccountcontrol | select count,name | sort count -Descending #Add custom noteproperty containing delimted useraccountcontrol translation $allobjects | % {Add-Member -InputObject $_ -MemberType NoteProperty -Name 'UACdetail' -Value (Get-UserAccountControlDetail $_.useraccountcontrol) -Force} $allobjects | select canonicalname,samaccountname,objectclass,UACdetail,UserAccountControl | ft -a -wr #Get count of individual useraccountcontrol flags $UACdetailCounts = @{} $allobjects | % {$_.UACdetail.split('|') | % {$UACdetailCounts[$_.trim()]++}} $UACdetailCounts.GetEnumerator() | sort value -Descending