該腳本通過系統自帶的 set 外部命令, 通過 dsquery * -filter 獲得的指定域用戶或計算機帳戶內部屬性 UserAccountControl, 並進行 bit and 運算, 最後結合 MSDN 對該值的描述, 來獲得對應狀態信息.
User-Account-Control attribute
http://msdn.microsoft.com/en-us/library/windows/desktop/ms680832(v=vs.85).aspx
2.2.15 userAccountControl Bits
http://msdn.microsoft.com/en-us/library/cc223145.aspx
@echo off
set sam=%~1
if not defined sam (goto isEmpty)
dsquery * -filter "(&(objectclass=person)(|(objectclass=user)(objectclass=computer))(samaccountname=%sam%))" | find "," > nul
if %errorlevel% neq 0 (goto notFound)
for /f "tokens=*" %%a in ('dsquery * -filter "(&(objectclass=person)(|(objectclass=user)(objectclass=computer))(samaccountname=%sam%))" -attr useraccountcontrol -l') do set /a UAC=%%a
set /a rc=%UAC%^&0x1
if %rc% equ 0x1 (echo The logon script is executed.)
set /a rc=%UAC%^&0x2
if %rc% equ 0x2 (echo The user account is disabled.)
set /a rc=%UAC%^&0x8
if %rc% equ 0x8 (echo The user account is disabled.)
set /a rc=%UAC%^&0x10
if %rc% equ 0x10 (echo The account is currently locked out.)
set /a rc=%UAC%^&0x20
if %rc% equ 0x20 (echo No password is required.)
set /a rc=%UAC%^&0x40
if %rc% equ 0x40 (echo The user cannot change the password.)
set /a rc=%UAC%^&0x80
if %rc% equ 0x80 (echo The user can send an encrypted password.)
set /a rc=%UAC%^&0x100
if %rc% equ 0x100 (echo This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. Also known as a local user account.)
set /a rc=%UAC%^&0x200
if %rc% equ 0x200 (echo This is a default account type that represents a typical user.)
set /a rc=%UAC%^&0x800
if %rc% equ 0x800 (echo This is a permit to trust account for a system domain that trusts other domains.)
set /a rc=%UAC%^&0x1000
if %rc% equ 0x1000 (echo This is a computer account for a computer that is a member of this domain.)
set /a rc=%UAC%^&0x2000
if %rc% equ 0x2000 (echo This is a computer account for a system backup domain controller that is a member of this domain.)
set /a rc=%UAC%^&0x10000
if %rc% equ 0x10000 (echo The password for this account will never expire.)
set /a rc=%UAC%^&0x20000
if %rc% equ 0x20000 (echo This is an MNS logon account.)
set /a rc=%UAC%^&0x40000
if %rc% equ 0x40000 (echo The user must log on using a smart card.)
set /a rc=%UAC%^&0x80000
if %rc% equ 0x80000 (echo The service account ^(user or computer account^), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service.)
set /a rc=%UAC%^&0x100000
if %rc% equ 0x100000 (echo The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.)
set /a rc=%UAC%^&0x200000
if %rc% equ 0x200000 (echo Restrict this principal to use only Data Encryption Standard ^(DES^) encryption types for keys.)
set /a rc=%UAC%^&0x400000
if %rc% equ 0x400000 (echo This account does not require Kerberos pre-authentication for logon.)
set /a rc=%UAC%^&0x800000
if %rc% equ 0x800000 (echo The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.)
set /a rc=%UAC%^&0x1000000
if %rc% equ 0x1000000 (echo The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network.)
set /a rc=%UAC%^&0x2000000
if %rc% equ 0x2000000 (echo Used by the Kerberos protocol. This bit indicates that when the Key Distribution Center ^(KDC^) is issuing a service ticket for this account, the Privilege Attribute Certificate ^(PAC^) MUST NOT be included. For more information, see [RFC4120].)
set /a rc=%UAC%^&0x4000000
if %rc% equ 0x4000000 (echo The account is a computer account for a read-only domain controller ^(RODC^). If this bit is set, the ADS_UF_WORKSTATION_TRUST_ACCOUNT must also be set. This flag is only interpreted by a DC whose DC functional level is DS_BEHAVIOR_WIN2008 or greater.)
goto exit
:isEmpty
echo The SamAccountName is empty.
exit /b 6
:notFound
echo The SamAccountName could not be found.
exit /b 2
:exit
exit /b 0
Folding@Home
