Removing the stored with reverse encryption setting

Posted on Thursday 9 February 2012 by

Last thing on this subject is removing the setting. Similar approach to putting the setting on except we toggle the userAccountControl attribute off

ou = "OU=England,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
$name = "UserA"            
Get-ADUser -Identity $name |            
Set-ADAccountControl -AllowReversiblePasswordEncryption:$false            
            
            
"`nAD provider"            
$name = "UserB"            
$dn = "cn=$name,$ou"            
$flag = (Get-ItemProperty -Path AD:\$dn  -Name useraccountcontrol).useraccountcontrol -bxor 128            
Set-ItemProperty -Path AD:\$dn  -Name useraccountcontrol -Value "$flag" -Confirm:$false            
            
"`nQuest"            
$name = "UserC"            
$user = Get-QADUser -Identity $name -IncludeAllProperties            
            
$flag = $user.userAccountControl -bxor 128            
$user.userAccountControl = $flag            
Set-QADUser -Identity $name -ObjectAttributes @{userAccountControl = $flag}            
            
"`nScript"            
$name = "UserD"            
$dn = "cn=$name,$ou"            
$user = [adsi]"LDAP://$dn"            
            
$flag = $user.userAccountControl.value -bxor 128            
$user.userAccountControl = $flag            
            
$user.SetInfo()

We have a parameter on the Microsoft Set-ADAccountControl cmdlet. otherwise we do a –bxor on 12 against the userAccountControl property

This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s