How do you check if a computer account is disabled in Active Directory using C#/.NET
Joakim
问问题
26045 次
8 回答
26
尝试这个:
class Program
{
static void Main(string[] args)
{
const string ldap = "LDAP://your-ldap-server-here";
using (DirectoryEntry conn = new DirectoryEntry(ldap))
{
using (DirectorySearcher searcher = new DirectorySearcher(conn))
{
searcher.Filter = "(|(samAccountName=userA)(samAccountName=userB))";
searcher.PropertiesToLoad.Add("samAccountName");
searcher.PropertiesToLoad.Add("userAccountControl");
using (SearchResultCollection results = searcher.FindAll())
{
foreach (SearchResult result in results)
{
int userAccountControl = Convert.ToInt32(result.Properties["userAccountControl"][0]);
string samAccountName = Convert.ToString(result.Properties["samAccountName"][0]);
bool disabled = ((userAccountControl & 2) > 0);
Console.WriteLine("{0} ({1:x}) :: {2}", samAccountName, userAccountControl, disabled);
}
}
}
}
Console.ReadLine();
}
}
userAccountControl如果帐户被禁用,第二位将为 1。
于 2009-02-26T18:16:43.927 回答
7
Try this entry:
http://www.codeproject.com/KB/system/everythingInAD.aspx#42
You will want to examine the User Account Control flags.
于 2009-02-26T17:59:58.180 回答
6
如果您使用的是 .NET 3.5,则可以使用新的 System.DirectoryServices.AccountManagment 命名空间方法来更轻松地访问 Active Directory。UserPrincipal 对象有一个 Enabled 属性,可以为您提供所需的内容。
2008 年 1 月的 MSDN 杂志对这些例程进行了很好的概述。您可以在此处在线阅读文章:在 .NET Framework 3.5 中管理目录安全主体
于 2009-05-02T21:18:18.923 回答
4
Leandro López 的回答很酷并且有效......另一个选择是我们可以为 userAccountControl 执行一个 LINQ,其值为 disable 并禁用这些用途
userAccountControl 的回复是:
512 启用帐户
514 禁用帐户
544 已启用,不需要密码
546 已禁用,不需要密码
66048 已启用,密码不会过期
66050 已禁用,密码不会过期
66080 已启用,密码不会过期且不需要
66082 已禁用,密码不会过期且不需要
262656 已启用,需要智能卡
262658 已禁用,需要智能卡
262688 已启用,需要智能卡,不需要密码
262690 已禁用、需要智能卡、不需要密码
328192 已启用,需要智能卡,密码不会过期
328194 已禁用,需要智能卡,密码不会过期
328224 已启用,需要智能卡,密码不会过期且不需要
328226 已禁用,需要智能卡,密码不会过期且不需要
于 2010-12-13T12:26:36.247 回答
3
不检查位,添加:
(userAccountControl:1.2.840.113556.1.4.803:=2)
到您的过滤器应该只返回禁用的用户。当然,
(!userAccountControl:1.2.840.113556.1.4.803:=2)
如果您愿意走这条路,将确保不会禁用用户。
于 2009-03-05T14:51:12.083 回答
2
嘿,我终于明白了 :) 这是我的代码希望它可以帮助你
常量 int ADS_UF_ACCOUNTDISABLE = 0x00000002;
DirectoryEntry de = new DirectoryEntry();
de.Path = "LDAP://companyname.com";
DirectorySearcher objADSearcher = new DirectorySearcher(de);
de.AuthenticationType = AuthenticationTypes.Secure;
objADSearcher.SearchRoot = de;
objADSearcher.Filter = "(SAMAccountName=" + TextBox1.Text + ")";
SearchResult results = objADSearcher.FindOne();
if (results.ToString() !="")
{
int flags= Convert.ToInt32(results.Properties["userAccountControl"][0].ToString());
//供参考结果.Properties["userAccountControl"][0].ToString().Equals("514");
if (Convert.ToBoolean(flags & ADS_UF_ACCOUNTDISABLE))
{
Response.Write("Account Disabled");
}
于 2011-03-17T21:13:20.430 回答
1
您可以通过将结果转换为枚举来轻松解码 userAccountControl 属性。
int userAccountControlValue = 544;
UserAccountControl userAccountControl = (UserAccountControl) userAccountControlValue;
// This gets a comma separated string of the flag names that apply.
string userAccountControlFlagNames = userAccountControl.ToString();
// This is how you test for an individual flag.
bool isNormalAccount = (userAccountControl & UserAccountControl.NORMAL_ACCOUNT) == UserAccountControl.NORMAL_ACCOUNT;
bool isAccountDisabled = (userAccountControl & UserAccountControl.ACCOUNTDISABLE) == UserAccountControl.ACCOUNTDISABLE;
bool isAccountLockedOut = (userAccountControl & UserAccountControl.LOCKOUT) == UserAccountControl.LOCKOUT;
您还可以使用它来构建 LDAP 过滤器:
// To get a user that is disabled.
string ldapFilter = string.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(userAccountControl:1.2.840.113556.1.4.803:={1:D}))", accountName, UserAccountControl.ACCOUNTDISABLE)
// To get a user that is not disabled.
string ldapFilter = string.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(!(userAccountControl:1.2.840.113556.1.4.803:={1:D})))", accountName, UserAccountControl.ACCOUNTDISABLE)
另请参阅Active Directory:LDAP 语法过滤器以获取常用 Active Directory LDAP 过滤器的示例。
这是您想要的枚举定义:
/// <summary>
/// Flags that control the behavior of the user account.
/// </summary>
[Flags()]
public enum UserAccountControl : int
{
/// <summary>
/// The logon script is executed.
///</summary>
SCRIPT = 0x00000001,
/// <summary>
/// The user account is disabled.
///</summary>
ACCOUNTDISABLE = 0x00000002,
/// <summary>
/// The home directory is required.
///</summary>
HOMEDIR_REQUIRED = 0x00000008,
/// <summary>
/// The account is currently locked out.
///</summary>
LOCKOUT = 0x00000010,
/// <summary>
/// No password is required.
///</summary>
PASSWD_NOTREQD = 0x00000020,
/// <summary>
/// The user cannot change the password.
///</summary>
/// <remarks>
/// Note: You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute.
/// For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
// </remarks>
PASSWD_CANT_CHANGE = 0x00000040,
/// <summary>
/// The user can send an encrypted password.
///</summary>
ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x00000080,
/// <summary>
/// This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not
/// to any domain that trusts this domain. Also known as a local user account.
///</summary>
TEMP_DUPLICATE_ACCOUNT = 0x00000100,
/// <summary>
/// This is a default account type that represents a typical user.
///</summary>
NORMAL_ACCOUNT = 0x00000200,
/// <summary>
/// This is a permit to trust account for a system domain that trusts other domains.
///</summary>
INTERDOMAIN_TRUST_ACCOUNT = 0x00000800,
/// <summary>
/// This is a computer account for a computer that is a member of this domain.
///</summary>
WORKSTATION_TRUST_ACCOUNT = 0x00001000,
/// <summary>
/// This is a computer account for a system backup domain controller that is a member of this domain.
///</summary>
SERVER_TRUST_ACCOUNT = 0x00002000,
/// <summary>
/// Not used.
///</summary>
Unused1 = 0x00004000,
/// <summary>
/// Not used.
///</summary>
Unused2 = 0x00008000,
/// <summary>
/// The password for this account will never expire.
///</summary>
DONT_EXPIRE_PASSWD = 0x00010000,
/// <summary>
/// This is an MNS logon account.
///</summary>
MNS_LOGON_ACCOUNT = 0x00020000,
/// <summary>
/// The user must log on using a smart card.
///</summary>
SMARTCARD_REQUIRED = 0x00040000,
/// <summary>
/// The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service
/// can impersonate a client requesting the service.
///</summary>
TRUSTED_FOR_DELEGATION = 0x00080000,
/// <summary>
/// The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.
///</summary>
NOT_DELEGATED = 0x00100000,
/// <summary>
/// Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
///</summary>
USE_DES_KEY_ONLY = 0x00200000,
/// <summary>
/// This account does not require Kerberos pre-authentication for logon.
///</summary>
DONT_REQUIRE_PREAUTH = 0x00400000,
/// <summary>
/// The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.
///</summary>
PASSWORD_EXPIRED = 0x00800000,
/// <summary>
/// The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly
/// controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to
/// other remote servers on the network.
///</summary>
TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x01000000,
/// <summary>
///
/// </summary>
PARTIAL_SECRETS_ACCOUNT = 0x04000000,
/// <summary>
///
/// </summary>
USE_AES_KEYS = 0x08000000
}
于 2016-09-26T18:35:27.793 回答
0
如果您使用 samAcountName 或任何其他身份字段..使用 UserPrincipal.FindByIdentity 方法更简单。并对 Leandro López 和 Deepti 使用混合方法。他们的方法都非常好..但非常狭窄。MSDN上提供了有关此标志的更多详细信息
于 2011-03-31T17:39:40.963 回答