Month: January 2018

Snapshot

The form…with dropdown selection, buttons, a label, an icon, and transparency.

 
Code

Clear-Host

# Using
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void][System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
[void][System.Windows.Forms.Application]::EnableVisualStyles()

# Create Form
$Form = New-Object system.Windows.Forms.Form 
$Form.Size = New-Object System.Drawing.Size(400,300) 
#$Form.Width = 400 
#$Form.Height = 300 
$Form.MaximizeBox = $false 
$Form.StartPosition = "CenterScreen" 
$Form.FormBorderStyle = 'Fixed3D' 
$Form.Text = "My Application" 

$Form.AutoSizeMode = "GrowAndShrink"    # or GrowOnly
$Form.MinimizeBox = $False
$Form.MaximizeBox = $False
$Form.WindowState = "Normal"            # Maximized, Minimized, Normal
$Form.SizeGripStyle = "Hide"            # Auto, Hide, Show
$Form.ShowInTaskbar = $True
$Form.Opacity = 0.7                     # 1.0 is fully opaque; 0.0 is invisible
$Form.StartPosition = "CenterScreen"    # CenterScreen, Manual, WindowsDefaultLocation, WindowsDefaultBounds, CenterParent


# Icon
$Icon = New-Object system.drawing.icon ("C:\Program Files (x86)\Microsoft Office\Office15\Groove\ToolIcons\COMPUTER.ICO")
$Form.Icon = $Icon

# Label
$Label = New-Object System.Windows.Forms.Label
$Label.Text = "This form is very simple."
$Label.AutoSize = $True
$Label.Location = New-Object System.Drawing.Size(120,50) 
$Font = New-Object System.Drawing.Font("Calibri",10,[System.Drawing.FontStyle]::Regular) 
$Form.Font = $Font
$Form.Controls.Add($Label)


# Drop Down Selection

# Create datatable to bind a combobox
$datatable = New-Object system.Data.DataTable

# Define Columns
$col1 = New-Object system.Data.DataColumn "Value",([string])
$col2 = New-Object system.Data.DataColumn "Text",([string])


# Add columns to Datatable
$datatable.columns.add($col1)
$datatable.columns.add($col2)
		
# 1 Create Row
$datarow1 = $datatable.NewRow()

# Enter data in row
$datarow1.Value = "Value 1"
$datarow1.Text = "Text 1"

# Add row to datatable
$datatable.Rows.Add($datarow1)


# 2 Create Row
$datarow2 = $datatable.NewRow()

#Enter data in the row
$datarow2.Value = "Value 2"
$datarow2.Text = "Text 2"

# Add the row to the datatable
$datatable.Rows.Add($datarow2)


# 3 Create Row
$datarow3 = $datatable.NewRow()

# Enter Data in row
$datarow3.Value = "Value 3"
$datarow3.Text = "Text 3"

# Add Row to datatable
$datatable.Rows.Add($datarow3)

# Create combobox
$combobox = New-Object System.Windows.Forms.ComboBox		
$combobox.Add_SelectedIndexChanged({
		#output the selected value and text
		write-host $combobox.SelectedItem["Value"] $combobox.SelectedItem["Text"]
})

# Clear Combo before bind
$combobox.Items.Clear()

# Bind Combobox to datatable
$combobox.ValueMember = "Value"
$combobox.DisplayMember = "Text"
$combobox.Datasource = $datatable

# Add Combobox to form
$form.Controls.Add($combobox)	


# Button 1
$Okbutton1 = New-Object System.Windows.Forms.Button 
$Okbutton1.Location = New-Object System.Drawing.Size(80,80)
$Okbutton1.Size = New-Object System.Drawing.Size(100,30)
$Okbutton1.Text = "OK1"
$Okbutton1.Add_Click({$Form.Close()
# do this with button
Write-Host "OK Button 1"}) 
$Form.Controls.Add($Okbutton1)

# Button 2
$Okbutton2 = New-Object System.Windows.Forms.Button 
$Okbutton2.Location = New-Object System.Drawing.Size(200,80)
$Okbutton2.Size = New-Object System.Drawing.Size(100,30)
$Okbutton2.Text = "OK2"
$Okbutton2.Add_Click({$Form.Close() 
# do this with button
Write-Host "OK Button 2"}) 
$Form.Controls.Add($Okbutton2)

# Show form
[void]$form.showdialog()

To stamp the registry in a Task Sequence, create two Run Commands in the Post Setup group (I add these as the final steps):

To set the field where Model is normally at

#1
cmd /c reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation” /v Model /t REG_SZ /d “ABC WIN10 1.0” /f /reg:64

#2
cmd /c reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation” /v BuildDate /t REG_SZ /d “%DATE% %TIME%” /f /reg:64

 

You may also use this to set Computer Description

cmd /c reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters” /v svrcomment /t REG_SZ /d “ABC WIN10 1.0” /f 

To activate Office 2016 in a Task Sequence, create two Run Commands in the Post Setup group:

 

32 Bit

#1
cmd /c cscript.exe “C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs” /inpkey:SSSSS-DDDDD-WWWWW-TTTTT-GGGGG

#2
cmd /c cscript.exe “C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs” /act

 

64 Bit

#1
cmd /c cscript.exe “C:\Program Files\Microsoft Office\Office16\ospp.vbs” /inpkey:SSSSS-DDDDD-WWWWW-TTTTT-GGGGG

#2
cmd /c cscript.exe “C:\Program Files\Microsoft Office\Office16\ospp.vbs” /act

 

* Note, this is for Office 32 bit.

This is how you automate the process of naming computers during OSD.

PowerShell Method

First, create an application package, but choose Do not create a program, instead of Standard for the program type.

OSDComputerName.ps1

$SerialNumber = (Get-WmiObject -Class Win32_BIOS | Select-Object SerialNumber).SerialNumber
$OSDComputerName = "ABC-" + $SerialNumber
$TSEnv = New-Object -COMObject Microsoft.SMS.TSEnvironment
#$TSEnv.Value("$env:computername") = "$OSDComputerName"
$TSEnv.Value("OSDComputerName") = "$OSDComputerName"

#Rename-Computer -ComputerName "$env:computername" -NewName "$OSDComputerName"
#Rename-Computer -ComputerName "OSDComputerName" -NewName "$OSDComputerName"

 

Next, in the Task Sequence, create three Run Commands:

#1
powershell.exe -noprofile -command “Set-ExecutionPolicy Bypass LocalMachine” -force

#2
powershell.exe -noprofile -file OSDComputerName.ps1
* make sure you link an empty package (an application package with no program) to the OSDComputername.ps1

#3
powershell.exe -noprofile -command “Set-ExecutionPolicy RemoteSigned LocalMachine” -force

* Note, this method does require that PowerShell be enabled in the boot.wim

 

VBScript Method

Make an item in Post Setup pointing to this script. Add a SCCM Restart.

on error resume next

Dim computername

strComputer = "."

Set objWMIservice = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

set colitems = objWMIservice.ExecQuery("Select * from Win32_BIOS",,48)

For each objitem in colitems
'Wscript.echo "Dell Service Tag: " & objitem.serialnumber
computername = objitem.serialnumber

Next

'returns machine model number only
'PRIMARY MODEL DETECTION
Set objWMI = GetObject("winmgmts:")
Set colSettings = objWMI.ExecQuery("Select * from Win32_ComputerSystem")

For Each objComputer in colSettings
LaptopModel = Trim(objComputer.Model)
Next

Select Case LaptopModel

Case "HP EliteBook 840 G3"
strModel = "8403"

Case "HP EliteBook 840 G2"
strModel = "8402"

Case "HP EliteBook 840 G1"
strModel = "8401"

Case "HP EliteBook Folio 9480m"
strModel = "9480"

Case "HP EliteBook Folio 9470m"
strModel = "9470"

Case "HP EliteBook Folio 9460m"
strModel = "9460"

Case "HP EliteBook 8470p"
strModel = "8470"

Case "HP EliteBook 8460p"
strModel = "8460"

Case "HP EliteBook 8450p"
strModel = "8450"

Case "HP EliteBook 8440p"
strModel = "8440"

Case "HP EliteBook 6930p"
strModel = "6930"

Case "HP EliteBook 2530p"
strModel = "2530"

Case "HP EliteBook 2540p"
strModel = "2540"

Case "HP Compaq dc7900 Small Form Factor"
strModel = "7900"

Case "HP Compaq 8000 Elite SFF PC"
strModel = "8000"

Case "HP Compaq 8200 Elite SFF PC"
strModel = "8200"

Case "OptiPlex 755"
strModel = "755"

Case "OptiPlex 745"
strModel = "745"

Case "Latitude D630"
strModel = "630"

Case "Latitude D620"
strModel = "620"

Case "Latitude D430"
strModel = "430"

End Select

'SECONDARY MODEL DETECTION
'used for models not explicitly defined
if strModel = "" then
'msgbox "no model was detected"
myLength = Len(LaptopModel)

For i = 1 To myLength
If Asc(Mid(LaptopModel, i, 1)) <> 32 Then
If Asc(Mid(LaptopModel, i, 1)) >= 48 And Asc(Mid(LaptopModel, i, 1)) <= 57 Then
myNumber = myNumber & Mid(LaptopModel, i, 1)
End If
Else
'msgbox("no numeric")
End If
Next
'msgbox(myNumber)
strModel = myNumber
end if

'testing only
'msgbox strModel

'renames machine with model number - service tag
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colComputers = objWMIService.ExecQuery ("Select * from Win32_ComputerSystem")

For Each objComputer in colComputers

err = objComputer.Rename(strModel & "-" & computername)

Next

WScript.Quit(0)

 

 

Notes

Command Line

netdom renamecomputer member /newname:member1.contoso.com /userd:administrator

 

PowerShell

Rename-Computer -ComputerName “$env:computername” -NewName “NewComputerName”

Rename-Computer -ComputerName “OSDComputerName” -NewName “NewComputerName”

Remotely Rename

$TargetComp=Read-Host -Prompt “Enter the Name of the Computer you want to change the name of “
$Credential=Get-Credential
$computerName = GWMI Win32_ComputerSystem -computername $TargetComp -Authentication 6
Write-host “Current Computer Name is ” $computerName
$name = Read-Host -Prompt “Please Enter the ComputerName you want to use.”
Write-host “New Computer Name ” $Name
$Go=Read-Host -prompt “Proceed with computer name change? (Y / N)”
If(($Go-eq”Y”)-or($Go-eq”y”))
{
$computername.Rename($name,$credential.GetNetworkCredential().Password,$credential.Username)
}
$Reboot=Read-host -Prompt “Do you want to restart the computer? (Y / N)”
If(($Reboot-eq”Y”)-or($Reboot-eq”y”))
{
restart-computer -computername $TargetComp
}

Screenshot

 

Single User

REG ADD “HKCU\Software\Citrix\Receiver” /f /v “HideAddAccountOnRestart” /t REG_DWORD /d “1”

 
For your image

1. Load the Default profile registry hive.

a. Open regedit.

b. Select HKEY_USERS, then click File > Load Hive

c. In the File name type: C:\Users\Default\ntuser.dat and click Open.

d. Type DefaultUser as the Key Name and click OK.

2. Navigate to HKEY_USERS > DefaultUser > Software > Citrix > Receiver

3. Create a new DWORD (32-bit) Value and name it HideAddAccountOnRestart.

4. Set the value data to 1.

5. Unload the Default User hive by selecting DefaultUser, the click File > Unload Hive.

 

Notes

REG ADD “HKLM\Software\Policies\Citrix” /f /v “EnableX1FTU” /t REG_DWORD /d “0”

https://support.citrix.com/article/CTX135438.?_ga=2.137409657.835403622.1516202909-1506665665.1515700878

 

Tested under Windows 7 & 10

reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “SunJavaUpdateSched” /f /reg:64

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy” /v EnableAutoUpdateCheck /t REG_DWORD /d 0 /f /reg:64

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy” /v EnableJavaUpdate /t REG_DWORD /d 0 /f /reg:64

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy” /v NotifyDownload /t REG_DWORD /d 0 /f /reg:64

reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “SunJavaUpdateSched” /f /reg:32

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy” /v EnableAutoUpdateCheck /t REG_DWORD /d 0 /f /reg:32

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy” /v EnableJavaUpdate /t REG_DWORD /d 0 /f /reg:32

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy” /v NotifyDownload /t REG_DWORD /d 0 /f /reg:32

strComputer = "."

DriveLetter = ""

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Set colItems = objWMIService.ExecQuery ("Select * From Win32_LogicalDisk")

For Each objItem in colItems

If objItem.VolumeName = "KINGSTON" then DriveLetter = objItem.DeviceID

Next

msgbox DriveLetter

When launching one of the Office apps on first login, the user will receive a First things first window. To disable this window, apply the reg keys below.

Screenshot

 

Single User Method

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Common\General]
“OptInDisable”=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Registration]
“AcceptAllEulas”=dword:00000001

* Note, you may need RW permissions to the Microsoft key…if you do, add Authenticated Users with RW permissions.

 

Default User Profile Method

REG LOAD HKLM\DEFAULT C:\Users\Default\ntuser.dat

REG ADD “HKLM\DEFAULT\SOFTWARE\Policies\Microsoft\Office\16.0\Common\General” /v “OptInDisable” /t REG_DWORD /d 1 /f /REG:64

REG ADD “HKLM\DEFAULT\SOFTWARE\Policies\Microsoft\Office\16.0\Registration” /v “AcceptAllEulas” /t REG_DWORD /d 1 /f /REG:64

REG UNLOAD HKLM\DEFAULT

 

Or, if you’re really crafty, launch this as admin when the user logs in

on error resume next

Set objShell = CreateObject("Wscript.Shell")

Const HKEY_LOCAL_MACHINE = &H80000002

Const OverwriteExisting = TRUE

'SETS CURRENT DIRECTORY TO VARIABLE
strCurrentDirectory = objShell.CurrentDirectory

'SETS COMPUTER NAME
strComputer = "."

'SET UP WMI
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

'SET UP REGISTRY
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")

strKeyPath = "SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProfileList"

objRegistry.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubkeys

For Each objSubkey In arrSubkeys

on error resume next

strValueName = "ProfileImagePath"

strSubPath = strKeyPath & "\" & objSubkey

objRegistry.GetExpandedStringValue HKEY_LOCAL_MACHINE,strSubPath,strValueName,strValue

Const POPUP_TITLE = "User To SID Conversion"

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Set objAccount = objWMIService.Get("Win32_SID.SID='" & objSubkey & "'")

strUser = objAccount.AccountName

'strDomain = objAccount.ReferencedDomainName'returns referenced domain

'PROFILE NAME & SID
objSubkey = trim(objSubkey)'trims whitespace

strUser = trim(strUser)'trims whitespace

'LOGIC TO DETERMINE IF REGISTRY ACCOUNT IS TO BE ACCESSED
if strUser = "SYSTEM" then strUser = ""
if strUser = "LOCAL SERVICE" then strUser = ""
if strUser = "NETWORK SERVICE" then strUser = ""
'if strUser = "Administrator" then strUser = ""
if strUser = "Default" then strUser = ""

if strUser <> "" then

on error resume next

'APPLY REG KEYS

objShell.Run "%comspec% /c reg.exe add "&chr(34)&"HKEY_USERS\" & objSubkey & "\SOFTWARE\Policies\Microsoft\Office\16.0\Common\General"&chr(34)&" /t REG_DWORD /v ""OptInDisable"" /d 1 /f",0,true

objShell.Run "%comspec% /c reg.exe add "&chr(34)&"HKEY_USERS\" & objSubkey & "\SOFTWARE\Policies\Microsoft\Office\16.0\Registration"&chr(34)&" /t REG_DWORD /v ""AcceptAllEulas"" /d 1 /f",0,true

Wscript.Sleep 1000

end if

Next

 

Notes

PowerShell – Change Registry Permissions

If you have computers that aren’t joining the domain during the task sequence, and you receive the following errors in the C:\Windows\debug\NetSetup.log file, the cause is most likely the rights on the service account used on the Join Domain/Apply Network Settings item in the task sequence.

NetpMapGetLdapExtendedError: Parsed [0x5] from server extended error string: 00000005: SecErr: DSID-031A11CC, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

NetpModifyComputerObjectInDs: ldap_modify_s failed: 0x32 0x5

NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x5

NetpProvisionComputerAccount: LDAP creation failed: 0x5 

 

To fix this, you need to modify the service account delegation rights. In ADUC:

1. Identify the security principal that you want to delegate permissions for.
2. Identify the container or OU where you want to allow users to manipulate computer objects.
3. Right click the container or OU and choose Delegate Control.
4. The Delegation of Control Wizard opens, click Next.
5. The Users or Groups window opens:
   Select the security principal you want to grant permissions to, and then click Next again.
6. The Tasks to Delegate window opens:
   Select Create a custom task to delegate and click Next.
7. The Active Directory Object Type window opens:
   Select Only the following objects in the folder and then select Computer objects. At the bottom of the window, select Create selected objects in this folder and Delete selected objects in this folder, and click Next.
8. The Permissions window opens
   Select General and Property-specific options, and then select these permissions:
   – Read All Properties
   – Write All Properties
   – Reset Password
   – Read and write Account Restrictions
   – Validated write to DNS host name
   – Validated write to service principal name
9. The Completing the Delegation of Control Wizard window will open showing you a summary of the actions. Click Finish.

Test your imaging process now.

 

Notes

https://social.technet.microsoft.com/Forums/ie/en-US/c0a41fec-4390-4b74-89eb-9299691a3e33/allow-user-to-bind-and-filter-ldap-and-change-password?forum=winserversecurity

https://social.technet.microsoft.com/Forums/ie/en-US/c0a41fec-4390-4b74-89eb-9299691a3e33/allow-user-to-bind-and-filter-ldap-and-change-password?forum=winserversecurity

 

get-childitem * -include *.* | foreach-object { "{0}`t{1}" -f $_.FullName, [System.Diagnostics.F
ileVersionInfo]::GetVersionInfo($_).FileVersion } | out-file output.txt

notepad.exe output.txt

 

Output

UserAccountControl Attribute/Flag Values

 

 

Notes

Property flag descriptions

• SCRIPT – The logon script will be run.
• ACCOUNTDISABLE – The user account is disabled.
• HOMEDIR_REQUIRED – The home folder is required.
• PASSWD_NOTREQD – No password is required.
• PASSWD_CANT_CHANGE – The user cannot change the password. This is a permission on the user’s object. For information about how to programmatically set this permission, visit the following Web site:
  http://msdn2.microsoft.com/en-us/library/aa746398.aspx
• ENCRYPTED_TEXT_PASSWORD_ALLOWED – The user can send an encrypted password.
• TEMP_DUPLICATE_ACCOUNT – This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account.
• NORMAL_ACCOUNT – This is a default account type that represents a typical user.
• INTERDOMAIN_TRUST_ACCOUNT – This is a permit to trust an account for a system domain that trusts other domains.
• WORKSTATION_TRUST_ACCOUNT – This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.
• SERVER_TRUST_ACCOUNT – This is a computer account for a domain controller that is a member of this domain.
• DONT_EXPIRE_PASSWD – Represents the password, which should never expire on the account.
• MNS_LOGON_ACCOUNT – This is an MNS logon account.
• SMARTCARD_REQUIRED – When this flag is set, it forces the user to log on by using a smart card.
• TRUSTED_FOR_DELEGATION – When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
• NOT_DELEGATED – When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
• USE_DES_KEY_ONLY – (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
• DONT_REQUIRE_PREAUTH – (Windows 2000/Windows Server 2003) This account does not require Kerberos pre-authentication for logging on.
• PASSWORD_EXPIRED – (Windows 2000/Windows Server 2003) The user’s password has expired.
• TRUSTED_TO_AUTH_FOR_DELEGATION – (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client’s identity and authenticate as that user to other remote servers on the network.
• PARTIAL_SECRETS_ACCOUNT – (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server.

UserAccountControl values

These are the default UserAccountControl values for the certain objects:

To set or erase bits in the userAccountControl attribute

Const ADS_UF_ACCOUNT_DISABLE = 2
Const ADS_UF_HOMEDIR_REQUIRED = 8
Const ADS_UF_LOCKOUT = 16
Const ADS_UF_PASSWD_NOTREQD = 32
Const ADS_UF_PASSWD_CANT_CHANGE = 64
Const ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 128
Const ADS_UF_NORMAL_ACCOUNT = 512
Const ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 2048
Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = 4096
Const ADS_UF_SERVER_TRUST_ACCOUNT = 8192
Const ADS_UF_DONT_EXPIRE_PASSWD = 65536
Const ADS_UF_MNS_LOGON_ACCOUNT = 131072
Const ADS_UF_SMARTCARD_REQUIRED = 262144
Const ADS_UF_TRUSTED_FOR_DELEGATION = 524288
Const ADS_UF_NOT_DELEGATED = 1048576
Const ADS_UF_USE_DES_KEY_ONLY = 2097152
Const ADS_UF_DONT_REQUIRE_PREAUTH = 4194304
Const ADS_UF_PASSWORD_EXPIRED = 8388608
Const ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 16777216
Const ADS_UF_NO_AUTH_DATA_REQUIRED = 33554432
Const ADS_UF_PARTIAL_SECRETS_ACCOUNT = 67108864

Set obj = GetObject("LDAP://cn=site,ou=user,dc=contoso,dc=com")

'The user is disabled (set flag bit):
obj.userAccountControl = obj.userAccountControl or ADS_UF_ACCOUNT_DISABLE
obj.SetInfo

'The user is enabled (remove flag bit):
obj.userAccountControl = obj.userAccountControl xor ADS_UF_ACCOUNT_DISABLE
obj.SetInfo

 

Reference

User-Account-Control attribute

How to use the UserAccountControl flags to manipulate user account properties

http://support.microsoft.com/kb/305144