开发者

Active Directoy LDAP - Lock User Account

What is the prefered way to lock an Active Directory account?

int val = (int)directoryentry.Properties["userAccountControl"].Value;
directoryentry.Properties["userAccountControl"].Value = val | 0x0010;

vs.

开发者_运维技巧
directoryentry.InvokeSet("IsAccountLocked", true); 

Is there a better way?


Are you on .NET 3.5 (or can you upgrade to it)??

If so, check out the new System.DirectoryServices.AccountManagement namespace and all it has to offer! Excellent intro is the MSDN article Managing Directory Security Principals in the .NET Framework 3.5.

For your case, you'd have to get hold of a UserPrincipal some way, e.g.

PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "YOURDOMAIN");
UserPrincipal me = UserPrincipal.Current;

and then you have access to a plethora of really easy to use properties and methods - e.g.:

bool isLockedOut = me.IsAccountLockedOut();

and you can unlock a locked account using:

me.UnlockAccount();

MUCH easier than the plain old System.DirectoryServices stuff!


In fact, you have to perform a bitwise operation to set the correct bit to the appropriate value. In the link below, you will encounter with the User Account Control Flags. So, you only have to perform the appropriate logical operation against the property to either lock or unlock the account.

The following link will interest you, I guess.

How to (almost) everything in AD

I shall add a sample code C# code later on.

Here's the code suggested:

public class AdUser {
    private int _userAccountControl
    public bool IsLocked {
        get {
            return _userAccountControl & UserAccountControls.Lock
        } set {
            if(value)
                _userAccountControl = _userAccountControl | UserAccountControls.Lock
            else
                // Must reverse all the bits in the filter when performing an And operation
                _userAccountControl = _userAccountControl & ~UserAccountControls.Lock
        }
    }
    public enum UserAccountControls {
        Lock = 0x10
    }
}

Please consider perhaps having some changes to make to this code, as I haven't tested it. But your code should like alike or something close to it as for locking and unlocking the user account. Sooner or later, you will have to go with the DirectoryEntry.Properties[] to set it to the value in your object class.

EDIT

What is the prefered way to lock an Active Directory account?

   int val = (int)directoryentry.Properties["userAccountControl"].Value;  
   directoryentry.Properties["userAccountControl"].Value = val | 0x0010;

vs.

   directoryentry.InvokeSet("IsAccountLocked", true); 

In response to your question I put in my edit, I would say that these are the simplest way, at least that I know. I prefer, as far as I'm concern, to wrap those features like I approximately did in my code sample, so the other programmers have not to care about the bitwise operations and so forth. For them, they're manipulating objects.

As for the best way between these two, I guess it mostly a matter of preference. If you're at ease with logical operations, these are normally the prefered. By comparison though, the second choice is simpler to play with.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜