Active Directory user objects have a UserAccountControl property — a bitfield containing various account status flags. Useful for filtering active users or checking account states programmatically.
| Value | Description |
|---|---|
| 512 | Enabled Account |
| 514 | Disabled Account |
| 544 | Enabled, Password Not Required |
| 546 | Disabled, Password Not Required |
| 66048 | Enabled, Password Doesn't Expire |
| 66050 | Disabled, Password Doesn't Expire |
| 66080 | Enabled, Password Doesn't Expire & Not Required |
| 66082 | Disabled, Password Doesn't Expire & Not Required |
| 262656 | Enabled, Smartcard Required |
| 262658 | Disabled, Smartcard Required |
| 262688 | Enabled, Smartcard Required, Password Not Required |
| 262690 | Disabled, Smartcard Required, Password Not Required |
| 328192 | Enabled, Smartcard Required, Password Doesn't Expire |
| 328194 | Disabled, Smartcard Required, Password Doesn't Expire |
| 328224 | Enabled, Smartcard Required, Password Doesn't Expire & Not Required |
| 328226 | Disabled, Smartcard Required, Password Doesn't Expire & Not Required |
To find all active users, filter for Enabled values (512, 544, 66048, …).
Get-ADUser -Filter { (UserAccountControl -band 2) -eq 0 } -Properties UserAccountControlBit
2= "Account Disabled". If not set (-eq 0), the account is active.
H@ppy H@cking