First of appologies if this should be on server-fault, but it's to do with PHP as well, so I thought this the best site for it.
I'm creating a few methods to integrate our intranet with Active Directory. One of the methods will automatically search our database for new users, and create user accounts in AD if new users are found.
Likewise, if a user is marked as left in the database, it will automatically disable the account in active directory.
I've been looking at the attributes passed from active directory, and in particular the User Account Control field.
On the microsoft website it states this under its list of attributes:
The following table lists possible flags that you can assign. You cannot set some
of the values on a user or computer object because these values can be set or
reset only by the directory service. The flags are cumulative. To disable a
user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In
decimal, this is 514 (2 + 512).
Question My question is, if we use the example above, to mark a record as a user (512) and disabled (2), this ultimately makes the field value returned by AD as 514.
In PHP, how can I extract what flags have been marked on the record? For example, If given 514
, how can I use PHP to work out that its a normal user account, and also disabled (2 and 512)?
For example split the following:
Flag | Splits into | Flag Meaning
--------+------------------+---------------------------------------------------------
514 | 512 + 2 | Normal User Account + Disabled
522 | 512 + 2 + 8 | Normal User Account + Disabled + Home Directory Required
8389120 | 8388608 + 512 | Password Expired + Normal User Account
I hope you can understand my question, but feel free to ask for confirmation or more details.
Many thanks
LDAP is the Lightweight Directory Access Protocol, and is a protocol used to access "Directory Servers". The Directory is a special kind of database that holds information in a tree structure.
User Account Control is a security feature of Microsoft Windows which helps prevent unauthorized changes (which may be initiated by applications, users, viruses, or other forms of malware) to an operating system.
If you disable a user, the Active Directory object remains untouched together with the mailbox data and properties(including forwarding settings and full access), but you will not be able to access any mailbox data directly, using that user credentials.
Adding to James Sloan's answer, here is the flag list :
public function findFlags($flag) {
$flags = array();
$flaglist = array(
1 => 'SCRIPT',
2 => 'ACCOUNTDISABLE',
8 => 'HOMEDIR_REQUIRED',
16 => 'LOCKOUT',
32 => 'PASSWD_NOTREQD',
64 => 'PASSWD_CANT_CHANGE',
128 => 'ENCRYPTED_TEXT_PWD_ALLOWED',
256 => 'TEMP_DUPLICATE_ACCOUNT',
512 => 'NORMAL_ACCOUNT',
2048 => 'INTERDOMAIN_TRUST_ACCOUNT',
4096 => 'WORKSTATION_TRUST_ACCOUNT',
8192 => 'SERVER_TRUST_ACCOUNT',
65536 => 'DONT_EXPIRE_PASSWORD',
131072 => 'MNS_LOGON_ACCOUNT',
262144 => 'SMARTCARD_REQUIRED',
524288 => 'TRUSTED_FOR_DELEGATION',
1048576 => 'NOT_DELEGATED',
2097152 => 'USE_DES_KEY_ONLY',
4194304 => 'DONT_REQ_PREAUTH',
8388608 => 'PASSWORD_EXPIRED',
16777216 => 'TRUSTED_TO_AUTH_FOR_DELEGATION',
67108864 => 'PARTIAL_SECRETS_ACCOUNT'
);
for ($i=0; $i<=26; $i++){
if ($flag & (1 << $i)){
array_push($flags, 1 << $i);
}
}
foreach($flags as $k=>&$v) {
$v = $v . ' ' . $flaglist[$v];
}
return $flags;
}
Came upon the same situation today and it is more concise with:
$flag_to_find = 530;
$flags = array();
for ($i=0; $i<=26; $i++){
if ($flag_to_find & (1 << $i)){
array_push($flags, 1 << $i);
}
}
print_r($flags);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With