I want to query the msDS-User-Account-Control-Computed attribute of an Active Directory user account by using PowerShell with built-in tools/modules. That means I cannot use cmdlets like Get-ADUser. I am using the DirectorySearcher class/adsisearcher instead.
I try to query it like this from my domain-joined computer, where I am logged on as a regular domain user:
$ldapquery = [adsisearcher] "(sAMAccountName=$env:USERNAME)"
$ldapquery.PropertiesToLoad.Add('msDS-User-Account-Control-Computed') | Out-Null
$account = $ldapquery.FindOne()
$account.Properties['msDS-User-Account-Control-Computed']
The code seems to query the attribute, but it prints 0. It should be 512 for a regular user[1]. If I use GetDirectoryEntry() on the account to get all of its properties, the msDS-User-Account-Control-Computed attribute is not part of it:
$account.GetDirectoryEntry() | Format-List *
Trying to query it with a SearchScope of Base does also not seem to work:
$ldapquery = [adsisearcher] "(sAMAccountName=$env:USERNAME)"
$account = $ldapquery.FindOne()
$ldapquery2 = [adsisearcher] "(distinguishedName=$($account.Properties['distinguishedName'][0]))"
$ldapquery2.PropertiesToLoad.Add('msDS-User-Account-Control-Computed') | Out-Null
$ldapquery2.SearchRoot = $account.Path
$ldapquery2.SearchScope = [System.DirectoryServices.SearchScope]::Base
$account2 = $ldapquery2.FindOne()
$account2.Properties['msDS-User-Account-Control-Computed']
It prints 0, too.
[1] If I query userAccountControl instead of msDS-User-Account-Control-Computed, it prints 512. But I really need msDS-User-Account-Control-Computed as it contains more flags: In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed. For more information about this new attribute, see ms-DS-User-Account-Control-Computed attribute.
TL;DR: The 0 actually is correct for a "normal" account.
From the docs of the ms-DS-User-Account-Control-Computed attribute:
msDS-User-Account-Control-Computed is much like userAccountControl, but the attribute's value can contain additional bits that are not persisted. The computed bits include the following.
Value Name (defined in Iads.h) 0x0010 UF_LOCKOUT 0x800000 UF_PASSWORD_EXPIRED 0x4000000 UF_PARTIAL_SECRETS_ACCOUNT 0x8000000 UF_USE_AES_KEYS The full list of bits that User-Account-Control and therefore msDS-User-Account-Control-Computed can also contain can be found in the User-Account-Control reference page (mapped through the ADSI flagset) or on the network management reference pages for the user_info_1008 structure.
I assumed msDS-User-Account-Control-Computed would contain all flags of userAccountControl and four additional flags. But it turns out that msDS-User-Account-Control-Computed does only contain the four additional flags. So in order to get all possible flags, you have to query both attributes and sum them up:
$ldapquery = [adsisearcher] "(sAMAccountName=REDACTED)"
$ldapquery.PropertiesToLoad.Add('userAccountControl') | Out-Null
$ldapquery.PropertiesToLoad.Add('msDS-User-Account-Control-Computed') | Out-Null
$account = $ldapquery.FindOne()
$uac = $account.Properties['userAccountControl'][0] + $account.Properties['msDS-User-Account-Control-Computed'][0]
$uac
You can then check $uac against all possible flags. I tested this successfully against a locked out account on a Windows Server 2025 DC, where userAccountControl was 512 and msDS-User-Account-Control-Computed was 16. Btw. this does even seem to work without a SearchScope of Base.