Question

使用System.DirectoryServices.AccountManagement锁定Active Directory用户对象的最佳方法是什么？我能够确定帐户是否被锁定..

UserPrincipal principal = new UserPrincipal(context);
bool locked = principal.IsAccountLockedOut();

如何锁定帐户？做这样的事情还有其他选择......

UserPrincipal principal = new UserPrincipal(context);
DirectoryEntry entry = (DirectoryEntry)principal.GetUnderlyingObject();

int val = (int)entry.Properties["userAccountControl"].Value;

entry.Properties["userAccountControl"].Value = val | 0x0010;
entry.CommitChanges();

Answer 1

根据定义，lock属性是只读的，原因如下：

此属性的定义将类似于：“多次提供无效密码时自动锁定用户帐户”（多少次？我猜这是在GPO中设置的）

为开发人员提供更改此属性的方法将与上述定义冲突...因此您不应设置此值，我认为AD安全机制将阻止您执行此操作。

但是，您可以启用\禁用我认为更接近您想要的用户。

希望这有帮助。

Answer 2

此代码可用于锁定AD中的用户


        /// 
        /// Locks a user account
        /// 
        /// The name of the user whose account you want to unlock
        /// 
        /// This actually trys to log the user in with a wrong password. 
        /// This in turn will lock the user out
        /// 
        public void LockAccount(string userName)
        {
            DirectoryEntry user = GetUser(userName);
            string path = user.Path;
            string badPassword = "SomeBadPassword";
            int maxLoginAttempts = 10;

            for (int i = 0; i < maxLoginAttempts; i++)
            {
                try
                {
                    new DirectoryEntry(path, userName, badPassword).RefreshCache();
                }
                catch (Exception e)
                {

                }
            }
            user.Close();
        }

Answer 3

CodeProject's Everything AD article has some sample code on unlocking an account。我不确定这是能给你所需要的东西。

public void Unlock(string userDn)
{
    try
    {
        DirectoryEntry uEntry = new DirectoryEntry(userDn);
        uEntry.Properties["LockOutTime"].Value = 0; //unlock account

        uEntry.CommitChanges(); //may not be needed but adding it anyways

        uEntry.Close();
    }
    catch (System.DirectoryServices.DirectoryServicesCOMException E)
    {
        //DoSomethingWith --> E.Message.ToString();

    }
}

Answer 4

这里有一个很好的例子http://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C#45

Answer 5

使用userflag属性我们可以在这里得到用户锁定状态是我的答案

entryPC是DirectoryEntry的对象，我们在这里传递活动目录的入口路径

 public bool IsLocked(DirectoryEntry entryPC)
    {
        if (entryPC.NativeGuid == null)
        {
            return false;
        }

        int flags = (int)entryPC.Properties["UserFlags"].Value;
        bool check = Convert.ToBoolean(flags & 0x0010);
        if (Convert.ToBoolean(flags & 0x0010))
        {
            return true;
        }
        else
        {
            return false;
        }
    }

Active Directory LDAP - 锁定用户帐户

5 个答案: