PHP Active Directory Integration: get userAccountControl attributes
While trying to integrate an AD based login in my php application, I came across the problem of checking which user accounts were not disabled.
After going through some forums I did the following to see accounts which were not disabled:
$result = ldap_search($ad, “OU=Users,OU=Office1,DC=country,DC=company,DC=com”, “(&(objectCategory=user)(!(userAccountControl=514)))”);
Microsoft returns the flags set for any user in the userAccountControl attribute in a cumulative manner. The flag values used by Active Directory are mentioned here.
So e.g.
John has a Normal Account [Flag 512]
Alex had a Normal Account [Flag 512] but now has been disabled [Flag 2] so the status on … Continue Reading