我能够让代码禁用部分代码工作,但为了让我们的AD树更加干净,我们有一个专门创建的!Disabled OU。我希望我的代码能够同时禁用计算机帐户并将其移至!Disabled OU。
这是我到目前为止所拥有的:
string computerName = Environment.MachineName;
using (PrincipalContext domainContext = new PrincipalContext(ContextType.Domain, null, "username", "password"))
{
ComputerPrincipal computer = ComputerPrincipal.FindByIdentity(domainContext, computerName);
if (computer != null)
{
try
{
computer.Enabled = false;
label3.Visible = true;
computer.Save();
label3.Text = "Computer was disabled in Active Directory." + "\n";
try
{
string LdapDomain = "prefix.domain.suffix";
string distinguishedName = string.Empty;
string connectionPrefix = "LDAP://" + LdapDomain;
DirectoryEntry entry = new DirectoryEntry(connectionPrefix);
DirectorySearcher mySearcher = new DirectorySearcher(entry);
mySearcher.Filter = "(&(objectClass=computer)(|(cn=" + computerName + ")(dn=" + computerName + ")))";
SearchResult result = mySearcher.FindOne();
if (result == null)
{
label3.Text += ("Unable to locate the distinguishedName for the object " + computerName + " in the " + LdapDomain + " domain." + "\n");
}
else if (result != null)
{
DirectoryEntry directoryObject = result.GetDirectoryEntry();
distinguishedName = "LDAP://" + directoryObject.Properties["distinguishedName"].Value;
label3.Text += ("Distinguished name is " + distinguishedName + "\n");
string newLocation = "OU=!Disabled,DC=prefix,DC=domain,DC=suffix";
DirectoryEntry nLocation = new DirectoryEntry("LDAP://" + newLocation);
string newName = directoryObject.Name;
//directoryObject.MoveTo(nLocation, newName);
DirectoryEntry moveParent = new DirectoryEntry(newLocation);
directoryObject.MoveTo(moveParent); //Comes from Microsoft example, as prior may have been possible cause of errors.
label3.Text += ("Successfully moved computer to the !Disabled OU");
nLocation.Close();
directoryObject.Close();
entry.Close();
entry.Dispose();
mySearcher.Dispose();
}
else
{
label3.Text += ("Unexpected error in moving computer.");
}
button1.Visible = true;
}
catch (Exception p)
{
label3.Text += ("Failed to move computer with exception " + p);
button1.Visible = true;
}
/*
public void Move(string objectLocation, string newLocation)
{
//For brevity, removed existence checks
DirectoryEntry eLocation = new DirectoryEntry("LDAP://" + objectLocation);
DirectoryEntry nLocation = new DirectoryEntry("LDAP://" + newLocation);
string newName = eLocation.Name;
eLocation.MoveTo(nLocation, newName);
nLocation.Close();
eLocation.Close();
}
*/
}
catch (Exception x)
{
label3.Visible = true;
label3.Text = "Unable to disable computer with exception " + x;
button1.Visible = true;
}
}
else if (computer == null)
{
label3.Visible = true;
label3.Text = "Computer was not found in Active Directory.";
button1.Visible = true;
}
else
{
label3.Visible = true;
label3.Text = "Unexpected error in computer search.";
button1.Visible = true;
}
}
显示方面非常草率,但它是一个快速而肮脏的Windows窗体,显示正在发生的所有事情。我遇到的问题是即使我有可识别的名称并且可以从搜索中获取DirectoryEntry对象,当我调用MoveTo()方法时,我得到关于不存在的对象的错误被发现。有人能指出我在正确的方向吗?
我已经考虑过绑定到两个不同的OU并使用DirectoryEntry.Children.Add()和DirectoryEntry.Children.Remove()方法作为解决方法,但这并不能解决我遍历AD的问题。