使用ASP.NET应用程序将用户锁定在Active Directory之外

Question

我们有一个Intranet ASP.NET 4.0应用程序，并使用表单身份验证，员工通过Active Directory进行身份验证以进行登录。

我们需要在密码尝试失败次数过多（在域策略中设置了数量）后将用户锁定在AD之外。

现在，用户只能被锁定在应用程序之外，但不能退出AD。我们需要将它们锁定在AD中，他们需要致电服务台解锁它们。

我看到了这个http://msdn.microsoft.com/en-us/library/ms998360.aspx，在“帐户锁定”下声明ActiveDirectoryMembershipProvider会将用户锁定在提供商之外但不会退出AD。

但是我们如何锁定AD中的用户？

的web.config：

<membership defaultProvider="MyADMembershipProvider">
  <providers>
    <add name="MyADMembershipProvider"
         type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
         connectionStringName="ADConnectionString"
         connectionUsername="administrator"
         connectionPassword="passw0rd"
         attributeMapUsername="sAMAccountName" />       
  </providers>
</membership>

的Login.aspx：

<asp:Login ID="Login1" runat="server" DisplayRememberMe="False" FailureText="Wrong user name or password." DestinationPageUrl="~/User.aspx" OnLoggedIn="Login1_LoggedIn" OnLoginError="Login1_LoginError">

Login.aspx.cs

protected void Login1_LoginError(object sender, EventArgs e)
{
    string userName = Login1.UserName;
    if (!string.IsNullOrEmpty(userName))
    {
        // Get information about this user
        MembershipUser usr = Membership.GetUser(userName);
        if (usr != null)
        {
            // check to see if the error occurred because they are not approved
            if (!usr.IsApproved)
            {
                Login1.FailureText = "Your account has not yet been approved by an administrator.";
            }

            // check to see if user is currently locked out
            else if (usr.IsLockedOut)
            {
                Login1.FailureText = "You have been locked out of your account due to too many failed passwords. Call help desk to unlock it.";
            }
        }
    }  
}