The UserAccountControl is an attribute on Active Directory Objects that describes the state of the object. The attribute is treated as a series of bit flags each of which has a separate meaning. For instance a normal account takes the value 512 whereas a value of 514 would indicate that it was a normal account that was disabled as the 2 bit (flag) is set as well.
The values and meanings of the various settings are shown at http://support.microsoft.com/kb/305144
One action in Active Directory that seems to come up reasonably often is to disable an account. In many cases you will see it suggested that you should just add 2 to the current value of the useraccountcontrol attribute. This is demonstarted in this thread from the PowerShell news group http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?&guid=&sloc=en-us&dg=microsoft.public.windows.powershell&p=1&tid=0e4f00a6-26b1-4dde-b4ea-7c62e8fd7cce
Because of the nature of the useraccountcontrol attribute performing arithmetic actions on it can be problematic. The best and easiest way to set an account to being disabled that I have discovered is to do this
$myuser = [ADSI] "LDAP://cn=user,dc=domain,dc=com
$myuserAccountControl = $myuser.psbase.properties.useraccountcontrol[0] -bor 2
$myuser.psbase.CommitChanges()
The bitwise OR (-bor) will compare the current binary values of the useraccountcontrol attribute and 2. If at any bit position the value is 1 in either case it will set the result to 1. This means that in effect 2 is added to the current value without obbtaining or trying to manipulate the current value. The advantage of this approach is that it also works for computer accounts which have a normal value of 4096. So your code doesn’t need to distinguish between user and computer accounts you just do a bitwise OR and the account is disabled. Simple, efficient and easy to remember.
More information on -bor can be found in get-help about_comparison_operators
Richard Siddaway's Blog 