使用C#,如何检查活动目录中是否禁用了计算机帐户?

时间:2009-02-26 17:55:07

标签: c# active-directory ldap

如何使用C#/。NET

检查Active Directory中是否禁用了计算机帐户

8 个答案:

答案 0 :(得分:26)

试试这个:

class Program
{
    static void Main(string[] args)
    {
        const string ldap = "LDAP://your-ldap-server-here";

        using (DirectoryEntry conn = new DirectoryEntry(ldap))
        {
            using (DirectorySearcher searcher = new DirectorySearcher(conn))
            {
                searcher.Filter = "(|(samAccountName=userA)(samAccountName=userB))";
                searcher.PropertiesToLoad.Add("samAccountName");
                searcher.PropertiesToLoad.Add("userAccountControl");

                using (SearchResultCollection results = searcher.FindAll())
                {
                    foreach (SearchResult result in results)
                    {
                        int userAccountControl = Convert.ToInt32(result.Properties["userAccountControl"][0]);
                        string samAccountName = Convert.ToString(result.Properties["samAccountName"][0]);
                        bool disabled = ((userAccountControl & 2) > 0);

                        Console.WriteLine("{0} ({1:x}) :: {2}", samAccountName, userAccountControl, disabled);
                    }
                }
            }
        }

        Console.ReadLine();
    }
}

如果帐户被停用,userAccountControl的第二位将为1。

答案 1 :(得分:7)

尝试此条目:

http://www.codeproject.com/KB/system/everythingInAD.aspx#42

您需要检查用户帐户控制标记。

答案 2 :(得分:6)

如果您使用的是.NET 3.5,则可以使用新的System.DirectoryServices.AccountManagment命名空间方法来更轻松地访问Active Directory。 UserPrincipal对象具有Enabled属性,可以为您提供所需内容。

2008年1月的MSDN杂志对这些例程有了很好的概述。您可以在此在线阅读该文章:Managing Directory Security Principals in the .NET Framework 3.5

答案 3 :(得分:4)

LeandroLópez的答案很酷且有效...另一个选择是我们可以为LINQ做一个 userAccountControl,其值为disable,禁用这些用途

来自userAccountControl的

是:

512启用帐户

514已禁用帐户

544已启用,密码不需要

546已禁用,密码不需要

66048已启用,密码未过期

66050已禁用,密码未过期

66080已启用,密码未过期&不需要

66082已禁用,密码未过期&不需要

262656已启用,需要智能卡

262658已停用,需要智能卡

262688已启用,需要智能卡,不需要密码

262690已禁用,需要智能卡,不需要密码

328192已启用,需要智能卡,密码未过期

328194已禁用,需要智能卡,密码不会过期

328224已启用,需要智能卡,密码未过期&不需要

328226禁用,需要智能卡,密码不会过期&不需要

答案 4 :(得分:3)

不检查位,添加:

(userAccountControl的:1.2.840.113556.1.4.803:= 2)

到您的过滤器应该只返回已禁用的用户。当然,

(userAccountControl的:1.2.840.113556.1.4.803:= 2)

将确保如果您更愿意使用该路线,则不会禁用用户。

答案 5 :(得分:2)

嘿,我终于明白了:) 这是我的代码希望它可以帮助你

const int ADS_UF_ACCOUNTDISABLE = 0x00000002;

        DirectoryEntry de = new DirectoryEntry();
        de.Path = "LDAP://companyname.com";
        DirectorySearcher objADSearcher = new DirectorySearcher(de);
        de.AuthenticationType = AuthenticationTypes.Secure;

        objADSearcher.SearchRoot = de;
        objADSearcher.Filter = "(SAMAccountName=" + TextBox1.Text + ")";
        SearchResult results = objADSearcher.FindOne();
        if (results.ToString() !="")
        {

           int flags= Convert.ToInt32(results.Properties["userAccountControl"][0].ToString());

//供参考                results.Properties [ “userAccountControl的”] [0]的ToString()等于( “514”);

           if (Convert.ToBoolean(flags & ADS_UF_ACCOUNTDISABLE))
           {
               Response.Write("Account Disabled");
           }

答案 6 :(得分:0)

如果您使用的是samAcountName或任何其他Identity字段,则使用UserPrincipal.FindByIdentity方法会更简单。并使用LeandroLópez和Deepti的混合方法。他们的方法都很好..但非常狭隘。 有关此标记的更多详细信息,请参见MSDN

答案 7 :(得分:0)

您可以通过将结果转换为枚举来轻松解码userAccountControl属性。

int userAccountControlValue = 544;
UserAccountControl userAccountControl = (UserAccountControl) userAccountControlValue;

// This gets a comma separated string of the flag names that apply.
string userAccountControlFlagNames = userAccountControl.ToString();

// This is how you test for an individual flag.
bool isNormalAccount = (userAccountControl & UserAccountControl.NORMAL_ACCOUNT) == UserAccountControl.NORMAL_ACCOUNT;
bool isAccountDisabled = (userAccountControl & UserAccountControl.ACCOUNTDISABLE) == UserAccountControl.ACCOUNTDISABLE;
bool isAccountLockedOut = (userAccountControl & UserAccountControl.LOCKOUT) == UserAccountControl.LOCKOUT;

您还可以使用它来构建LDAP过滤器:

// To get a user that is disabled.
string ldapFilter = string.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(userAccountControl:1.2.840.113556.1.4.803:={1:D}))", accountName, UserAccountControl.ACCOUNTDISABLE)

// To get a user that is not disabled.
string ldapFilter = string.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(!(userAccountControl:1.2.840.113556.1.4.803:={1:D})))", accountName, UserAccountControl.ACCOUNTDISABLE)

有关常用的Active Directory LDAP过滤器的示例,请参阅Active Directory: LDAP Syntax Filters

这是您想要的枚举定义:

/// <summary>
/// Flags that control the behavior of the user account.
/// </summary>
[Flags()]
public enum UserAccountControl : int
{
    /// <summary>
    /// The logon script is executed. 
    ///</summary>
    SCRIPT = 0x00000001,

    /// <summary>
    /// The user account is disabled. 
    ///</summary>
    ACCOUNTDISABLE = 0x00000002,

    /// <summary>
    /// The home directory is required. 
    ///</summary>
    HOMEDIR_REQUIRED = 0x00000008,

    /// <summary>
    /// The account is currently locked out. 
    ///</summary>
    LOCKOUT = 0x00000010,

    /// <summary>
    /// No password is required. 
    ///</summary>
    PASSWD_NOTREQD = 0x00000020,

    /// <summary>
    /// The user cannot change the password. 
    ///</summary>
    /// <remarks>
    /// Note:  You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. 
    /// For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
    // </remarks>
    PASSWD_CANT_CHANGE = 0x00000040,

    /// <summary>
    /// The user can send an encrypted password. 
    ///</summary>
    ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x00000080,

    /// <summary>
    /// This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not 
    /// to any domain that trusts this domain. Also known as a local user account. 
    ///</summary>
    TEMP_DUPLICATE_ACCOUNT = 0x00000100,

    /// <summary>
    /// This is a default account type that represents a typical user. 
    ///</summary>
    NORMAL_ACCOUNT = 0x00000200,

    /// <summary>
    /// This is a permit to trust account for a system domain that trusts other domains. 
    ///</summary>
    INTERDOMAIN_TRUST_ACCOUNT = 0x00000800,

    /// <summary>
    /// This is a computer account for a computer that is a member of this domain. 
    ///</summary>
    WORKSTATION_TRUST_ACCOUNT = 0x00001000,

    /// <summary>
    /// This is a computer account for a system backup domain controller that is a member of this domain. 
    ///</summary>
    SERVER_TRUST_ACCOUNT = 0x00002000,

    /// <summary>
    /// Not used. 
    ///</summary>
    Unused1 = 0x00004000,

    /// <summary>
    /// Not used. 
    ///</summary>
    Unused2 = 0x00008000,

    /// <summary>
    /// The password for this account will never expire. 
    ///</summary>
    DONT_EXPIRE_PASSWD = 0x00010000,

    /// <summary>
    /// This is an MNS logon account. 
    ///</summary>
    MNS_LOGON_ACCOUNT = 0x00020000,

    /// <summary>
    /// The user must log on using a smart card. 
    ///</summary>
    SMARTCARD_REQUIRED = 0x00040000,

    /// <summary>
    /// The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service 
    /// can impersonate a client requesting the service. 
    ///</summary>
    TRUSTED_FOR_DELEGATION = 0x00080000,

    /// <summary>
    /// The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation. 
    ///</summary>
    NOT_DELEGATED = 0x00100000,

    /// <summary>
    /// Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys. 
    ///</summary>
    USE_DES_KEY_ONLY = 0x00200000,

    /// <summary>
    /// This account does not require Kerberos pre-authentication for logon. 
    ///</summary>
    DONT_REQUIRE_PREAUTH = 0x00400000,

    /// <summary>
    /// The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy. 
    ///</summary>
    PASSWORD_EXPIRED = 0x00800000,

    /// <summary>
    /// The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly 
    /// controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to 
    /// other remote servers on the network.
    ///</summary>
    TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x01000000,

    /// <summary>
    /// 
    /// </summary>
    PARTIAL_SECRETS_ACCOUNT = 0x04000000,

    /// <summary>
    /// 
    /// </summary>
    USE_AES_KEYS = 0x08000000
}