I have a situation where I'd like to use PowerShell in an environment without Get-ADUser to determine whether another account is expired. Someone else in the domain is able to read the userAccountControl property off of the object returned from an adsi call, and see the PASSWORD_EXPIRED (8388608) bit is set. When my account makes this same call, the bit is always off, which leads me to believe there is a difference in permissions in the requesting accounts that prevents me from seeing this information.
It also would seem to obviate the strict need to query the ms-DS-User-Account-Control-Computed, which I can't quite figure out how to query anyways. If that might make the difference, please point me to a way to do this in PowerShell. If it's not necessary, what permissions are required to read this value?
I'm not the most well versed in ADSI or even AD permissions and the various ways to get things, just a general idea... The results object whose properties I am getting is acquired with he following ADSI string: (&(objectClass=user)(objectCategory=person)(samAccountName=queried.user.name*)) -- all the properties coming off of it seem to be valid, except for several flags in the useraccountcontrol property(?)
