To try get all possible values I attempted to print them all out, I thought this was a simple approach to get the values I am interested in. However I am interested in identifying if an account is disabled or not and it seems to me that this value isn't available for local accounts? That seems crazy so I must be missing something. Any help would be appreciated.
I have checked here but that doesnt define the flag, ive tried the obvious (Disabled, Enabled) but as I say no luck and I cant see anything obvious from the results from below.
$user_adsi = [ADSI]"WinNT://$ComputerName"
$users = $user_adsi.Children | where { $_.SchemaClassName -eq 'user' } | select *
try
{
foreach ($user in $users)
{
Write-Host $user
}
}
You will need to check UserFlags property for the binary bit that represents decimal 2 for disabled users.
$disabledUsers = $user_adsi.Children |
where { $_.SchemaClassName -eq 'user' -and $_.UserFlags[0] -band 2}
Since the UserFlags (works like UserAccountControl) is type PropertyValueCollection, you will need to index into its first element [0].
You could also use Where() method to create two lists of disabled and enabled users:
$DisabledUsers,$EnabledUsers = $user_adsi.children.where({$_.SchemaClassName -eq 'user'}).where({$_.UserFlags[0] -band 2},'Split')
The Split mode will output items that met the condition into the first variable ($DisabledUsers) and output the remaining items in the second variable ($EnabledUsers).