查找是否在AD中启用或禁用了用户帐户

Question

我需要查找是否在AD中启用或禁用了用户帐户。

我找不到旗帜或财产＆＃34; userAccountControl＆＃34; 。 这可以使用USERPRINCIPAL类来实现吗？

.gitignore

此致

Answer 1

如果您只是需要了解用户是启用还是禁用，您可以通过以下方式更简单地完成：

PrincipalContext context = new PrincipalContext(ContextType.Domain);
UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, searchTextBox.Text.Trim());

if(user.Enabled == true) MessageBox.Show("Account enabled!");
else MessageBox.Show("Account disabled!");

Answer 2

我没有测试过这个答案，但我相信它应该可行。

1）使用 -

获取目录条目对象

UserPrincipal qbeUser2 = new UserPrincipal(ctx2);
var dirEntry = qbeUser2.GetUnderlyingObject() as DirectoryEntry;

2）然后按 -

检查帐户停用状态

var status = IsAccountDisabled(dirEntry);
public static bool IsAccountDisabled(DirectoryEntry user)
        {
            string Uac = "userAccountControl";
            if (user.NativeGuid == null) return false;

            if (user.Properties[Uac] != null && user.Properties[Uac].Value != null)
            {
                var userFlags = (UserFlags)user.Properties[Uac].Value;
                return userFlags.Contains(UserFlags.AccountDisabled);
            }

            return false;
        }

3）以下是枚举 UserFlags -

[Flags]
public enum UserFlags
{
    // Reference - Chapter 10 (from The .NET Developer's Guide to Directory Services Programming)

    Script = 1,                                     // 0x1
    AccountDisabled = 2,                            // 0x2
    HomeDirectoryRequired = 8,                      // 0x8
    AccountLockedOut = 16,                          // 0x10
    PasswordNotRequired = 32,                       // 0x20
    PasswordCannotChange = 64,                      // 0x40
    EncryptedTextPasswordAllowed = 128,             // 0x80
    TempDuplicateAccount = 256,                     // 0x100
    NormalAccount = 512,                            // 0x200
    InterDomainTrustAccount = 2048,                 // 0x800
    WorkstationTrustAccount = 4096,                 // 0x1000
    ServerTrustAccount = 8192,                      // 0x2000
    PasswordDoesNotExpire = 65536,                  // 0x10000 (Also 66048 )
    MnsLogonAccount = 131072,                       // 0x20000
    SmartCardRequired = 262144,                     // 0x40000
    TrustedForDelegation = 524288,                  // 0x80000
    AccountNotDelegated = 1048576,                  // 0x100000
    UseDesKeyOnly = 2097152,                        // 0x200000
    DontRequirePreauth = 4194304,                   // 0x400000
    PasswordExpired = 8388608,                      // 0x800000 (Applicable only in Window 2000 and Window Server 2003)
    TrustedToAuthenticateForDelegation = 16777216,  // 0x1000000
    NoAuthDataRequired = 33554432                   // 0x2000000
}

更新

以下是在AD上测试的完整代码。它在我的测试中运行良好。

using System;
using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;

namespace DisableUsers
{
internal class Program
{
    private static void Main()
    {
        const string sAMAccountName = "vikas"; // The sAMAccountName of AD user
        var principalContext = new PrincipalContext(ContextType.Domain, "domainNameHere", "AdminUser", "AdminPass");
        var userPrincipal = UserPrincipal.FindByIdentity(principalContext, sAMAccountName);

        if (userPrincipal != null)
        {
            var dirEntry = userPrincipal.GetUnderlyingObject() as DirectoryEntry;
            var status = IsAccountDisabled(dirEntry);
            Console.WriteLine(status ? "Account {0} is disabled." : "Account {0} is enabled.", sAMAccountName);
        }
        else
        {
            Console.WriteLine("No user found for sAMAccountName '{0}'.", sAMAccountName);
        }

        Console.ReadLine();
    }

    public static bool IsAccountDisabled(DirectoryEntry user)
    {
        const string uac = "userAccountControl";
        if (user.NativeGuid == null) return false;

        if (user.Properties[uac] != null && user.Properties[uac].Value != null)
        {
            var userFlags = (UserFlags)user.Properties[uac].Value;
            return userFlags.Contains(UserFlags.AccountDisabled);
        }

        return false;
    }
}

public static class UserFlagExtensions
{
    /// <summary>
    /// Check if flags contains the specific user flag. This method is more efficient compared to 'HasFlag()'.
    /// </summary>
    /// <param name="haystack">The bunch of flags</param>
    /// <param name="needle">The flag to look for.</param>
    /// <returns>Return true if flag found in flags.</returns>
    public static bool Contains(this UserFlags haystack, UserFlags needle)
    {
        return (haystack & needle) == needle;
    }
}

[Flags]
public enum UserFlags
{
    Script = 1,                                     // 0x1
    AccountDisabled = 2,                            // 0x2
    HomeDirectoryRequired = 8,                      // 0x8
    AccountLockedOut = 16,                          // 0x10
    PasswordNotRequired = 32,                       // 0x20
    PasswordCannotChange = 64,                      // 0x40
    EncryptedTextPasswordAllowed = 128,             // 0x80
    TempDuplicateAccount = 256,                     // 0x100
    NormalAccount = 512,                            // 0x200
    InterDomainTrustAccount = 2048,                 // 0x800
    WorkstationTrustAccount = 4096,                 // 0x1000
    ServerTrustAccount = 8192,                      // 0x2000
    PasswordDoesNotExpire = 65536,                  // 0x10000 (Also 66048 )
    MnsLogonAccount = 131072,                       // 0x20000
    SmartCardRequired = 262144,                     // 0x40000
    TrustedForDelegation = 524288,                  // 0x80000
    AccountNotDelegated = 1048576,                  // 0x100000
    UseDesKeyOnly = 2097152,                        // 0x200000
    DontRequirePreauth = 4194304,                   // 0x400000
    PasswordExpired = 8388608,                      // 0x800000 (Applicable only in Window 2000 and Window Server 2003)
    TrustedToAuthenticateForDelegation = 16777216,  // 0x1000000
    NoAuthDataRequired = 33554432                   // 0x2000000
}
}