[分享]基於系統自帶功能實現查詢指定域用戶或計算機帳戶 UserAccountControl 內部屬性位掩碼組合所代表狀態信息的一個批處理腳本 RRS feed

  • 常规讨论

  • 該腳本通過系統自帶的 set 外部命令, 通過 dsquery * -filter 獲得的指定域用戶或計算機帳戶內部屬性 UserAccountControl, 並進行 bit and 運算, 最後結合 MSDN 對該值的描述, 來獲得對應狀態信息.

    User-Account-Control attribute

    2.2.15 userAccountControl Bits

    @echo off
    set sam=%~1
    if not defined sam (goto isEmpty)
    dsquery * -filter "(&(objectclass=person)(|(objectclass=user)(objectclass=computer))(samaccountname=%sam%))" | find "," > nul
    if %errorlevel% neq 0 (goto notFound) 
    for /f "tokens=*" %%a in ('dsquery * -filter "(&(objectclass=person)(|(objectclass=user)(objectclass=computer))(samaccountname=%sam%))" -attr useraccountcontrol -l') do set /a UAC=%%a
    set /a rc=%UAC%^&0x1
    if %rc% equ 0x1 (echo The logon script is executed.)
    set /a rc=%UAC%^&0x2
    if %rc% equ 0x2 (echo The user account is disabled.)
    set /a rc=%UAC%^&0x8
    if %rc% equ 0x8 (echo The user account is disabled.)
    set /a rc=%UAC%^&0x10
    if %rc% equ 0x10 (echo The account is currently locked out.)
    set /a rc=%UAC%^&0x20
    if %rc% equ 0x20 (echo No password is required.)
    set /a rc=%UAC%^&0x40
    if %rc% equ 0x40 (echo The user cannot change the password.)
    set /a rc=%UAC%^&0x80
    if %rc% equ 0x80 (echo The user can send an encrypted password.)
    set /a rc=%UAC%^&0x100
    if %rc% equ 0x100 (echo This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. Also known as a local user account.)
    set /a rc=%UAC%^&0x200
    if %rc% equ 0x200 (echo This is a default account type that represents a typical user.)
    set /a rc=%UAC%^&0x800
    if %rc% equ 0x800 (echo This is a permit to trust account for a system domain that trusts other domains.)
    set /a rc=%UAC%^&0x1000
    if %rc% equ 0x1000 (echo This is a computer account for a computer that is a member of this domain.)
    set /a rc=%UAC%^&0x2000
    if %rc% equ 0x2000 (echo This is a computer account for a system backup domain controller that is a member of this domain.)
    set /a rc=%UAC%^&0x10000
    if %rc% equ 0x10000 (echo The password for this account will never expire.)
    set /a rc=%UAC%^&0x20000
    if %rc% equ 0x20000 (echo This is an MNS logon account.)
    set /a rc=%UAC%^&0x40000
    if %rc% equ 0x40000 (echo The user must log on using a smart card.)
    set /a rc=%UAC%^&0x80000
    if %rc% equ 0x80000 (echo The service account ^(user or computer account^), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service.)
    set /a rc=%UAC%^&0x100000
    if %rc% equ 0x100000 (echo The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.)
    set /a rc=%UAC%^&0x200000
    if %rc% equ 0x200000 (echo Restrict this principal to use only Data Encryption Standard ^(DES^) encryption types for keys.)
    set /a rc=%UAC%^&0x400000
    if %rc% equ 0x400000 (echo This account does not require Kerberos pre-authentication for logon.)
    set /a rc=%UAC%^&0x800000
    if %rc% equ 0x800000 (echo The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.)
    set /a rc=%UAC%^&0x1000000
    if %rc% equ 0x1000000 (echo The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network.)
    set /a rc=%UAC%^&0x2000000
    if %rc% equ 0x2000000 (echo Used by the Kerberos protocol. This bit indicates that when the Key Distribution Center ^(KDC^) is issuing a service ticket for this account, the Privilege Attribute Certificate ^(PAC^) MUST NOT be included. For more information, see [RFC4120].)
    set /a rc=%UAC%^&0x4000000
    if %rc% equ 0x4000000 (echo The account is a computer account for a read-only domain controller ^(RODC^). If this bit is set, the ADS_UF_WORKSTATION_TRUST_ACCOUNT must also be set. This flag is only interpreted by a DC whose DC functional level is DS_BEHAVIOR_WIN2008 or greater.)
    goto exit
    echo The SamAccountName is empty.
    exit /b 6
    echo The SamAccountName could not be found.
    exit /b 2
    exit /b 0


    • 已更改类型 repl 2013年9月27日 7:51
    • 已编辑 repl 2013年9月29日 3:32
    2013年9月27日 7:50


  • 將上述腳本保存以為 BAT 文件, 例如 showuac.bat.

    showuac.bat %samaccountname%

    即可看到實際執行效果.   %samaccountname% 為指定帳戶的 SAMACCOUNTNAME.


    • 已编辑 repl 2013年9月27日 9:02
    2013年9月27日 7:52
  • 如果 SAMACCOUNTNAME 名稱中間有空格, 則需要使用西文半角雙引號括起來.


    • 已编辑 repl 2013年9月27日 9:03
    2013年9月27日 8:00
  • 非常感谢您的分享。

    Best Regards
    Jeremy Wu

    2013年10月5日 12:40