如何使用C#/。NET
检查Active Directory中是否禁用了计算机帐户答案 0 :(得分:26)
试试这个:
class Program
{
static void Main(string[] args)
{
const string ldap = "LDAP://your-ldap-server-here";
using (DirectoryEntry conn = new DirectoryEntry(ldap))
{
using (DirectorySearcher searcher = new DirectorySearcher(conn))
{
searcher.Filter = "(|(samAccountName=userA)(samAccountName=userB))";
searcher.PropertiesToLoad.Add("samAccountName");
searcher.PropertiesToLoad.Add("userAccountControl");
using (SearchResultCollection results = searcher.FindAll())
{
foreach (SearchResult result in results)
{
int userAccountControl = Convert.ToInt32(result.Properties["userAccountControl"][0]);
string samAccountName = Convert.ToString(result.Properties["samAccountName"][0]);
bool disabled = ((userAccountControl & 2) > 0);
Console.WriteLine("{0} ({1:x}) :: {2}", samAccountName, userAccountControl, disabled);
}
}
}
}
Console.ReadLine();
}
}
如果帐户被停用,userAccountControl
的第二位将为1。
答案 1 :(得分:7)
答案 2 :(得分:6)
如果您使用的是.NET 3.5,则可以使用新的System.DirectoryServices.AccountManagment命名空间方法来更轻松地访问Active Directory。 UserPrincipal对象具有Enabled属性,可以为您提供所需内容。
2008年1月的MSDN杂志对这些例程有了很好的概述。您可以在此在线阅读该文章:Managing Directory Security Principals in the .NET Framework 3.5
答案 3 :(得分:4)
LeandroLópez的答案很酷且有效...另一个选择是我们可以为LINQ做一个 userAccountControl,其值为disable,禁用这些用途
来自userAccountControl的是:
512启用帐户
514已禁用帐户
544已启用,密码不需要
546已禁用,密码不需要
66048已启用,密码未过期
66050已禁用,密码未过期
66080已启用,密码未过期&不需要
66082已禁用,密码未过期&不需要
262656已启用,需要智能卡
262658已停用,需要智能卡
262688已启用,需要智能卡,不需要密码
262690已禁用,需要智能卡,不需要密码
328192已启用,需要智能卡,密码未过期
328194已禁用,需要智能卡,密码不会过期
328224已启用,需要智能卡,密码未过期&不需要
328226禁用,需要智能卡,密码不会过期&不需要
答案 4 :(得分:3)
不检查位,添加:
(userAccountControl的:1.2.840.113556.1.4.803:= 2)
到您的过滤器应该只返回已禁用的用户。当然,
(userAccountControl的:1.2.840.113556.1.4.803:= 2)
将确保如果您更愿意使用该路线,则不会禁用用户。
答案 5 :(得分:2)
const int ADS_UF_ACCOUNTDISABLE = 0x00000002;
DirectoryEntry de = new DirectoryEntry();
de.Path = "LDAP://companyname.com";
DirectorySearcher objADSearcher = new DirectorySearcher(de);
de.AuthenticationType = AuthenticationTypes.Secure;
objADSearcher.SearchRoot = de;
objADSearcher.Filter = "(SAMAccountName=" + TextBox1.Text + ")";
SearchResult results = objADSearcher.FindOne();
if (results.ToString() !="")
{
int flags= Convert.ToInt32(results.Properties["userAccountControl"][0].ToString());
//供参考 results.Properties [ “userAccountControl的”] [0]的ToString()等于( “514”);
if (Convert.ToBoolean(flags & ADS_UF_ACCOUNTDISABLE))
{
Response.Write("Account Disabled");
}
答案 6 :(得分:0)
如果您使用的是samAcountName或任何其他Identity字段,则使用UserPrincipal.FindByIdentity方法会更简单。并使用LeandroLópez和Deepti的混合方法。他们的方法都很好..但非常狭隘。 有关此标记的更多详细信息,请参见MSDN
答案 7 :(得分:0)
您可以通过将结果转换为枚举来轻松解码userAccountControl属性。
int userAccountControlValue = 544;
UserAccountControl userAccountControl = (UserAccountControl) userAccountControlValue;
// This gets a comma separated string of the flag names that apply.
string userAccountControlFlagNames = userAccountControl.ToString();
// This is how you test for an individual flag.
bool isNormalAccount = (userAccountControl & UserAccountControl.NORMAL_ACCOUNT) == UserAccountControl.NORMAL_ACCOUNT;
bool isAccountDisabled = (userAccountControl & UserAccountControl.ACCOUNTDISABLE) == UserAccountControl.ACCOUNTDISABLE;
bool isAccountLockedOut = (userAccountControl & UserAccountControl.LOCKOUT) == UserAccountControl.LOCKOUT;
您还可以使用它来构建LDAP过滤器:
// To get a user that is disabled.
string ldapFilter = string.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(userAccountControl:1.2.840.113556.1.4.803:={1:D}))", accountName, UserAccountControl.ACCOUNTDISABLE)
// To get a user that is not disabled.
string ldapFilter = string.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(!(userAccountControl:1.2.840.113556.1.4.803:={1:D})))", accountName, UserAccountControl.ACCOUNTDISABLE)
有关常用的Active Directory LDAP过滤器的示例,请参阅Active Directory: LDAP Syntax Filters。
这是您想要的枚举定义:
/// <summary>
/// Flags that control the behavior of the user account.
/// </summary>
[Flags()]
public enum UserAccountControl : int
{
/// <summary>
/// The logon script is executed.
///</summary>
SCRIPT = 0x00000001,
/// <summary>
/// The user account is disabled.
///</summary>
ACCOUNTDISABLE = 0x00000002,
/// <summary>
/// The home directory is required.
///</summary>
HOMEDIR_REQUIRED = 0x00000008,
/// <summary>
/// The account is currently locked out.
///</summary>
LOCKOUT = 0x00000010,
/// <summary>
/// No password is required.
///</summary>
PASSWD_NOTREQD = 0x00000020,
/// <summary>
/// The user cannot change the password.
///</summary>
/// <remarks>
/// Note: You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute.
/// For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
// </remarks>
PASSWD_CANT_CHANGE = 0x00000040,
/// <summary>
/// The user can send an encrypted password.
///</summary>
ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x00000080,
/// <summary>
/// This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not
/// to any domain that trusts this domain. Also known as a local user account.
///</summary>
TEMP_DUPLICATE_ACCOUNT = 0x00000100,
/// <summary>
/// This is a default account type that represents a typical user.
///</summary>
NORMAL_ACCOUNT = 0x00000200,
/// <summary>
/// This is a permit to trust account for a system domain that trusts other domains.
///</summary>
INTERDOMAIN_TRUST_ACCOUNT = 0x00000800,
/// <summary>
/// This is a computer account for a computer that is a member of this domain.
///</summary>
WORKSTATION_TRUST_ACCOUNT = 0x00001000,
/// <summary>
/// This is a computer account for a system backup domain controller that is a member of this domain.
///</summary>
SERVER_TRUST_ACCOUNT = 0x00002000,
/// <summary>
/// Not used.
///</summary>
Unused1 = 0x00004000,
/// <summary>
/// Not used.
///</summary>
Unused2 = 0x00008000,
/// <summary>
/// The password for this account will never expire.
///</summary>
DONT_EXPIRE_PASSWD = 0x00010000,
/// <summary>
/// This is an MNS logon account.
///</summary>
MNS_LOGON_ACCOUNT = 0x00020000,
/// <summary>
/// The user must log on using a smart card.
///</summary>
SMARTCARD_REQUIRED = 0x00040000,
/// <summary>
/// The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service
/// can impersonate a client requesting the service.
///</summary>
TRUSTED_FOR_DELEGATION = 0x00080000,
/// <summary>
/// The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.
///</summary>
NOT_DELEGATED = 0x00100000,
/// <summary>
/// Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
///</summary>
USE_DES_KEY_ONLY = 0x00200000,
/// <summary>
/// This account does not require Kerberos pre-authentication for logon.
///</summary>
DONT_REQUIRE_PREAUTH = 0x00400000,
/// <summary>
/// The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.
///</summary>
PASSWORD_EXPIRED = 0x00800000,
/// <summary>
/// The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly
/// controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to
/// other remote servers on the network.
///</summary>
TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x01000000,
/// <summary>
///
/// </summary>
PARTIAL_SECRETS_ACCOUNT = 0x04000000,
/// <summary>
///
/// </summary>
USE_AES_KEYS = 0x08000000
}