Capturing userAccountControl flags from ActiveDirectory

  • Document ID:7011032
  • Creation Date:26-Apr-2011
  • Modified Date:19-Oct-2012
    • Micro Focus Products:
      Access Governance

Resolution

It's often a requirement to determine if an ActiveDirectory account is inactive.  In addition, it's just as often one may need to capture the 'Password Never Expires' flag as well.  These, as well as several others attributes, are stored as a single value on the 'userAccountControl' attribute.  This attribute is a bit-wise series of flags where '1' represents true and '0' represents false.  To capture the values of the flags, one needs to use a Customization Rule.  This rule should include the logic below.  It is up to the reader to apply minute differences

       /*
       * Information on the userAccountControl attribute is represented as a collection of bitwise flags.  That is,
       * a user userAccountControl of 514 is better represented as: 00000001000000010, which simply means the
       * 2nd and 10th bits are true (from right to left), and the other bits are false.  Bit 2 is the flag indicating
       * the account as being disabled. Bit 17 indicates the password never expires.  A complete listing of all of the
       * bitwise flags are found here: http://support.microsoft.com/kb/305144
       *
       * To determine which flags are enabled, we have to use the Java AND '&' operator which applies the given mask to
       * a value and returns that same mask when the bit is found
       */

       int DISABLED_MASK = 2;
       int NEVER_EXPIRE_PASSWORD_MASK = 65536;

       // If the ResourceObject is an account, do the following:
       if(object.getObjectType().compareTo(Connector.TYPE_ACCOUNT) == 0) {

         // fetches the schema value 'userAccountControl'.  This is the literal value found on the account Schema
         accountControl = object.get("userAccountControl");
         
         // If the DISABLE_MASK is found, set disabled = 'Yes'
         // ... set inactive = 'true'
         //
         // Change these values to those that make more sense to your environment, i.e.: disabled = 'true', enabled = 'No' / 'False'
         if ( accountControl != null && accountControl instanceof Long) {
           if ( (accountControl & DISABLED_MASK) == DISABLED_MASK){
             object.put("disabled","Yes");
             object.put("inactive","true");
           } else
             object.put("disabled","No");
             
            // If the NEVER_EXPIRE_PASSWORD_MASK is found, flag 'neverExpirePassword'
           if ( (accountControl & NEVER_EXPIRE_PASSWORD_MASK) == NEVER_EXPIRE_PASSWORD_MASK)
             object.put("neverExpirePassword","Yes");
           else
             object.put("neverExpirePassword","No");
         }