我在网站上搜索了相关信息,发现了这个: ASP.NET C# Active Directory - See how long before a user's password expires
解释了如何根据域策略获取密码到期时的值。
我的问题是:如果用户的OU组策略具有不同的MaxPasswordAge值,会覆盖域组策略中指定的值,该怎么办?如何以编程方式获取OU的组策略对象?
编辑:为了使这个问题更加清晰,我正在添加此编辑。我所追求的是能够告诉用户的密码何时到期。据我所知,日期值可以由域本地策略或组对象策略控制。我有一个Linq2DirectoryService Provider,它将Linq转换为Ldap查询。因此,获取日期到期值的LDAP查询对于此subj将是最佳的。如果你回答包括.net所支持的包装器的对象包含在这个等式中 - 它将是一个死的答案!
答案 0 :(得分:15)
让我从包含Visual Basic和VBScript示例的http://support.microsoft.com/kb/323750开始,以及http://www.anitkb.com/2010/03/how-to-implement-active-directory.html,其中概述了maxPwdAge OU设置如何影响计算机,而不是用户。它还有一条注释,指向AloInfo.exe作为MS的工具,可用于获取密码年龄。
以下是示例:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.DirectoryServices;
namespace LDAP
{
class Program
{
static void Main(string[] args)
{
string domainAndUsername = string.Empty;
string domain = string.Empty;
string userName = string.Empty;
string passWord = string.Empty;
AuthenticationTypes at = AuthenticationTypes.Anonymous;
StringBuilder sb = new StringBuilder();
domain = @"LDAP://w.x.y.z";
domainAndUsername = @"LDAP://w.x.y.z/cn=Lawrence E."+
" Smithmier\, Jr.,cn=Users,dc=corp,"+
"dc=productiveedge,dc=com";
userName = "Administrator";
passWord = "xxxpasswordxxx";
at = AuthenticationTypes.Secure;
DirectoryEntry entry = new DirectoryEntry(
domain, userName, passWord, at);
DirectorySearcher mySearcher = new DirectorySearcher(entry);
SearchResultCollection results;
string filter = "maxPwdAge=*";
mySearcher.Filter = filter;
results = mySearcher.FindAll();
long maxDays = 0;
if(results.Count>=1)
{
Int64 maxPwdAge=(Int64)results[0].Properties["maxPwdAge"][0];
maxDays = maxPwdAge/-864000000000;
}
DirectoryEntry entryUser = new DirectoryEntry(
domainAndUsername, userName, passWord, at);
mySearcher = new DirectorySearcher(entryUser);
results = mySearcher.FindAll();
long daysLeft=0;
if (results.Count >= 1)
{
var lastChanged = results[0].Properties["pwdLastSet"][0];
daysLeft = maxDays - DateTime.Today.Subtract(
DateTime.FromFileTime((long)lastChanged)).Days;
}
Console.WriteLine(
String.Format("You must change your password within"+
" {0} days"
, daysLeft));
Console.ReadLine();
}
}
}
答案 1 :(得分:10)
以下代码可以帮助我获取域和本地用户帐户的密码到期日期:
public static DateTime GetPasswordExpirationDate(string userId, string domainOrMachineName)
{
using (var userEntry = new DirectoryEntry("WinNT://" + domainOrMachineName + '/' + userId + ",user"))
{
return (DateTime)userEntry.InvokeGet("PasswordExpirationDate");
}
}
答案 2 :(得分:3)
使用以下方法获取帐户的到期日期 -
public static DateTime GetPasswordExpirationDate(string userId)
{
string forestGc = String.Format("GC://{0}", Forest.GetCurrentForest().Name);
var searcher = new DirectorySearcher();
searcher = new DirectorySearcher(new DirectoryEntry(forestGc));
searcher.Filter = "(sAMAccountName=" + userId + ")";
var results = searcher.FindOne().GetDirectoryEntry();
return (DateTime)results.InvokeGet("PasswordExpirationDate");
}
答案 3 :(得分:1)
以前的一些答案依赖于DirectoryEntry.InvokeGet方法which MS says should not be used。所以这是另一种方法:
public static DateTime GetPasswordExpirationDate(UserPrincipal user)
{
DirectoryEntry deUser = (DirectoryEntry)user.GetUnderlyingObject();
ActiveDs.IADsUser nativeDeUser = (ActiveDs.IADsUser)deUser.NativeObject;
return nativeDeUser.PasswordExpirationDate;
}
您需要添加对通常位于C:\ Windows \ System32 \ activeds.tlb的ActiveDS COM库的引用。