The userAccountControl attribute is used to control the access of a user account. This value can be set to the bitwise OR of a set of flag values, documented here:
| Property flag |
Value in hexadecimal |
Value in decimal |
| SCRIPT |
0x0001 |
1 |
| ACCOUNTDISABLE |
0x0002 |
2 |
| HOMEDIR_REQUIRED |
0x0008 |
8 |
| LOCKOUT |
0x0010 |
16 |
| PASSWD_NOTREQD |
0x0020 |
32 |
PASSWD_CANT_CHANGE
Note You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the "Property flag descriptions" section. |
0x0040 |
64 |
| ENCRYPTED_TEXT_PWD_ALLOWED |
0x0080 |
128 |
| TEMP_DUPLICATE_ACCOUNT |
0x0100 |
256 |
| NORMAL_ACCOUNT |
0x0200 |
512 |
| INTERDOMAIN_TRUST_ACCOUNT |
0x0800 |
2048 |
| WORKSTATION_TRUST_ACCOUNT |
0x1000 |
4096 |
| SERVER_TRUST_ACCOUNT |
0x2000 |
8192 |
| DONT_EXPIRE_PASSWORD |
0x10000 |
65536 |
| MNS_LOGON_ACCOUNT |
0x20000 |
131072 |
| SMARTCARD_REQUIRED |
0x40000 |
262144 |
| TRUSTED_FOR_DELEGATION |
0x80000 |
524288 |
| NOT_DELEGATED |
0x100000 |
1048576 |
| USE_DES_KEY_ONLY |
0x200000 |
2097152 |
| DONT_REQ_PREAUTH |
0x400000 |
4194304 |
| PASSWORD_EXPIRED |
0x800000 |
8388608 |
| TRUSTED_TO_AUTH_FOR_DELEGATION |
0x1000000 |
16777216 |
So the value of the userAccountControl attribute can be described in PowerShell as the -bor (binary or) of these flags. A user with the "NORMAL_ACCOUNT" and "DONT_EXPIRE_PASSWORD" flags set would be expressed in PowerShell as 512 -bor 65536 (which equals 66048).
So to make a user account a normal account with a non-expiring password in PowerShell, you can use NetCmdlets set-ldap like so:
To disable an account, just -bor 2 with whatever the existing value already is.