Logo Questions Linux Laravel Mysql Ubuntu Git Menu

PHP, Active Directory, User Account Control

First of appologies if this should be on server-fault, but it's to do with PHP as well, so I thought this the best site for it.

I'm creating a few methods to integrate our intranet with Active Directory. One of the methods will automatically search our database for new users, and create user accounts in AD if new users are found.

Likewise, if a user is marked as left in the database, it will automatically disable the account in active directory.

I've been looking at the attributes passed from active directory, and in particular the User Account Control field.

On the microsoft website it states this under its list of attributes:

The following table lists possible flags that you can assign. You cannot set some 
of the values on a user or computer object because these values can be set or 
reset only by the directory service. The flags are cumulative. To disable a 
user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In 
decimal, this is 514 (2 + 512).

Question My question is, if we use the example above, to mark a record as a user (512) and disabled (2), this ultimately makes the field value returned by AD as 514.

In PHP, how can I extract what flags have been marked on the record? For example, If given 514, how can I use PHP to work out that its a normal user account, and also disabled (2 and 512)?

For example split the following:

Flag    | Splits into      | Flag Meaning
514     | 512 + 2          | Normal User Account + Disabled
522     | 512 + 2 + 8      | Normal User Account + Disabled + Home Directory Required
8389120 | 8388608 + 512    | Password Expired + Normal User Account

I hope you can understand my question, but feel free to ask for confirmation or more details.

Many thanks

like image 690
Phil Cross Avatar asked Feb 11 '14 09:02

Phil Cross

People also ask

What is LDAP PHP?

LDAP is the Lightweight Directory Access Protocol, and is a protocol used to access "Directory Servers". The Directory is a special kind of database that holds information in a tree structure.

What is User Account Control in AD?

User Account Control is a security feature of Microsoft Windows which helps prevent unauthorized changes (which may be initiated by applications, users, viruses, or other forms of malware) to an operating system.

What does disabling a user account in Active Directory do?

If you disable a user, the Active Directory object remains untouched together with the mailbox data and properties(including forwarding settings and full access), but you will not be able to access any mailbox data directly, using that user credentials.

2 Answers

Adding to James Sloan's answer, here is the flag list :

public function findFlags($flag) {

    $flags    = array();
    $flaglist = array(
               1 => 'SCRIPT',
               2 => 'ACCOUNTDISABLE',
               8 => 'HOMEDIR_REQUIRED',
              16 => 'LOCKOUT',
              32 => 'PASSWD_NOTREQD',
              64 => 'PASSWD_CANT_CHANGE',
             128 => 'ENCRYPTED_TEXT_PWD_ALLOWED',
             256 => 'TEMP_DUPLICATE_ACCOUNT',
             512 => 'NORMAL_ACCOUNT',
            2048 => 'INTERDOMAIN_TRUST_ACCOUNT',
            4096 => 'WORKSTATION_TRUST_ACCOUNT',
            8192 => 'SERVER_TRUST_ACCOUNT',
           65536 => 'DONT_EXPIRE_PASSWORD',
          131072 => 'MNS_LOGON_ACCOUNT',
          262144 => 'SMARTCARD_REQUIRED',
          524288 => 'TRUSTED_FOR_DELEGATION',
         1048576 => 'NOT_DELEGATED',
         2097152 => 'USE_DES_KEY_ONLY',
         4194304 => 'DONT_REQ_PREAUTH',
         8388608 => 'PASSWORD_EXPIRED',
        16777216 => 'TRUSTED_TO_AUTH_FOR_DELEGATION',
        67108864 => 'PARTIAL_SECRETS_ACCOUNT'
    for ($i=0; $i<=26; $i++){
        if ($flag & (1 << $i)){
            array_push($flags, 1 << $i);
    foreach($flags as $k=>&$v) {
        $v = $v . ' '  . $flaglist[$v];
    return $flags;
like image 107
Bill C Avatar answered Sep 18 '22 15:09

Bill C

Came upon the same situation today and it is more concise with:

$flag_to_find = 530;
$flags = array();
for ($i=0; $i<=26; $i++){
  if ($flag_to_find & (1 << $i)){
    array_push($flags, 1 << $i);
like image 26
james sloan Avatar answered Sep 18 '22 15:09

james sloan