Removing the delegation prohibition

If at some future time you want to remove the setting or the account has been set to this state inadvertently then we simply reverse the script we used to set it

$ou = "OU=England,DC=Manticore,DC=org"            
$name = "UserA"            
Get-ADUser -Identity $name |            
Set-ADAccountControl -AccountNotDelegated:$false            
"`nAD provider"            
$name = "UserB"            
$dn = "cn=$name,$ou"            
$flag = (Get-ItemProperty -Path AD:\$dn  -Name useraccountcontrol).useraccountcontrol -bxor 1048576            
Set-ItemProperty -Path AD:\$dn  -Name useraccountcontrol -Value "$flag" -Confirm:$false            
$name = "UserC"            
$user = Get-QADUser -Identity $name -IncludeAllProperties            
$flag = $user.userAccountControl -bxor 1048576            
$user.userAccountControl = $flag            
Set-QADUser -Identity $name -ObjectAttributes @{userAccountControl = $flag}            
$name = "UserD"            
$dn = "cn=$name,$ou"            
$user = [adsi]"LDAP://$dn"            
$flag = $user.userAccountControl.value -bxor 1048576            
$user.userAccountControl = $flag            

The Microsoft cmdlets have a parameter the other options all use –bxor against the useraccountcontrol attribute

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>