Checking Account Status in LDAP
How to check if an account is disabled in LDAP?
Previously I googled and someone suggest that, the 'useraccountcontrol' with 512 would be disabled, 514 would be enabled.
But this is too unreliable. If there are other options for that particular account are set, for example "password never expired" and "user cannot change password", the status would be 66048 and 66050. Too many possbility and yet unpredictable too.
To solve this problem, we have to look at how Computer is formed at the earliest stage. It all begins with binary number (Yes, my blog motto). We have to convert the account status from decimal to binary number. Let's look at the example below for 512, 514, 66048, 66050 in binary form.
512 - 1000000000
514 - 1000000010 (disabled)
66048 - 10000001000000000
66050 - 10000001000000010 (disabled)
Note the different? The 2nd bit (count from right) would be "1" for the account to be disabled. So we just need to check the 2nd bit of the binary value of account status. "0" would be an enabled account!
Lets come back to programming. How do we check the 2nd bit of binary number? Do we use string function provided by PHP? The answer is NO! Just look at the following code:
$ac = 512;
if (($ac & 2)==2) {
//disabled
} else { // enabled }
Why is it? We use the AND operation. For example 0010 AND 0011 = 0010. Only the bits that are set in both 0010 AND 0011 are set. In this case, it would be the 2nd bit only. By using such operation, we will be able to tell if the user account control's 2nd bit of binary number is set or not. If it is set, return binary 10 which is equal to 2 in decimal. Else, return 0 for enabled account!
Like