Removing the delegation prohibition

If at some future time you want to remove the setting or the account has been set to this state inadvertently then we simply reverse the script we used to set it

$ou = "OU=England,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
$name = "UserA"            
Get-ADUser -Identity $name |            
Set-ADAccountControl -AccountNotDelegated:$false            
            
            
"`nAD provider"            
$name = "UserB"            
$dn = "cn=$name,$ou"            
$flag = (Get-ItemProperty -Path AD:\$dn  -Name useraccountcontrol).useraccountcontrol -bxor 1048576            
Set-ItemProperty -Path AD:\$dn  -Name useraccountcontrol -Value "$flag" -Confirm:$false            
            
"`nQuest"            
$name = "UserC"            
$user = Get-QADUser -Identity $name -IncludeAllProperties            
            
$flag = $user.userAccountControl -bxor 1048576            
$user.userAccountControl = $flag            
Set-QADUser -Identity $name -ObjectAttributes @{userAccountControl = $flag}            
            
"`nScript"            
$name = "UserD"            
$dn = "cn=$name,$ou"            
$user = [adsi]"LDAP://$dn"            
            
$flag = $user.userAccountControl.value -bxor 1048576            
$user.userAccountControl = $flag            
            
$user.SetInfo()


The Microsoft cmdlets have a parameter the other options all use –bxor against the useraccountcontrol attribute

Leave a Reply