使用C#,如何检查活动目录中是否禁用了计算机帐户?
如何使用C#/ .NET检查Active Directory中是否禁用了计算机帐户
试试这个:
class Program { static void Main(string[] args) { const string ldap = "LDAP://your-ldap-server-here"; using (DirectoryEntry conn = new DirectoryEntry(ldap)) { using (DirectorySearcher searcher = new DirectorySearcher(conn)) { searcher.Filter = "(|(samAccountName=userA)(samAccountName=userB))"; searcher.PropertiesToLoad.Add("samAccountName"); searcher.PropertiesToLoad.Add("userAccountControl"); using (SearchResultCollection results = searcher.FindAll()) { foreach (SearchResult result in results) { int userAccountControl = Convert.ToInt32(result.Properties["userAccountControl"][0]); string samAccountName = Convert.ToString(result.Properties["samAccountName"][0]); bool disabled = ((userAccountControl & 2) > 0); Console.WriteLine("{0} ({1:x}) :: {2}", samAccountName, userAccountControl, disabled); } } } } Console.ReadLine(); } }
如果帐户被禁用, userAccountControl
的第二位将为1。
如果您使用的是.NET 3.5,则可以使用新的System.DirectoryServices.AccountManagment命名空间方法来更轻松地访问Active Directory。 UserPrincipal对象具有Enabled属性,可以为您提供所需内容。
在2008年1月的MSDN杂志中,对这些例程有了很好的概述。 您可以在此处在线阅读该文章: 在.NET Framework 3.5中管理目录安全性主体
LeandroLópez的答案很酷且有效…另一个选择是我们可以为userAccountControl做一个LINQ,其值为disable并禁用这些用途
来自userAccountControl的replie是:
512启用帐户
514已禁用帐户
544已启用,不需要密码
546已禁用,密码不需要
66048已启用,密码不会过期
66050已禁用,密码不会过期
66080已启用,密码未过期且不需要
66082已禁用,密码未过期且不需要
262656已启用,需要智能卡
262658已禁用,需要智能卡
262688已启用,需要智能卡,不需要密码
262690已禁用,需要智能卡,不需要密码
328192已启用,需要智能卡,密码不会过期
328194已禁用,需要智能卡,密码不会过期
328224已启用,需要智能卡,密码不会过期且不需要
328226已禁用,需要智能卡,密码不会过期且不需要
没有检查位,添加:
(userAccountControl的:1.2.840.113556.1.4.803:= 2)
到您的filter应该只返回禁用的用户。 当然,
(userAccountControl的:1.2.840.113556.1.4.803:= 2)
如果您更愿意去那条路线,将确保用户不会被禁用。
嘿,我终于得到了:)这是我的代码希望它能帮到你
const int ADS_UF_ACCOUNTDISABLE = 0x00000002;
DirectoryEntry de = new DirectoryEntry(); de.Path = "LDAP://companyname.com"; DirectorySearcher objADSearcher = new DirectorySearcher(de); de.AuthenticationType = AuthenticationTypes.Secure; objADSearcher.SearchRoot = de; objADSearcher.Filter = "(SAMAccountName=" + TextBox1.Text + ")"; SearchResult results = objADSearcher.FindOne(); if (results.ToString() !="") { int flags= Convert.ToInt32(results.Properties["userAccountControl"][0].ToString());
//用于参考results.Properties [“userAccountControl”] [0] .ToString()。Equals(“514”);
if (Convert.ToBoolean(flags & ADS_UF_ACCOUNTDISABLE)) { Response.Write("Account Disabled"); }
如果您使用的是samAcountName或任何其他Identity字段,则使用UserPrincipal.FindByIdentity方法会更简单。 并使用LeandroLópez和Deepti的混合方法。 他们的方法都非常好……但非常狭隘。 有关此标志的更多详细信息,请访问MSDN
您可以通过将结果转换为枚举来轻松解码userAccountControl属性。
int userAccountControlValue = 544; UserAccountControl userAccountControl = (UserAccountControl) userAccountControlValue; // This gets a comma separated string of the flag names that apply. string userAccountControlFlagNames = userAccountControl.ToString(); // This is how you test for an individual flag. bool isNormalAccount = (userAccountControl & UserAccountControl.NORMAL_ACCOUNT) == UserAccountControl.NORMAL_ACCOUNT; bool isAccountDisabled = (userAccountControl & UserAccountControl.ACCOUNTDISABLE) == UserAccountControl.ACCOUNTDISABLE; bool isAccountLockedOut = (userAccountControl & UserAccountControl.LOCKOUT) == UserAccountControl.LOCKOUT;
您还可以使用它来构建LDAPfilter:
// To get a user that is disabled. string ldapFilter = string.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(userAccountControl:1.2.840.113556.1.4.803:={1:D}))", accountName, UserAccountControl.ACCOUNTDISABLE) // To get a user that is not disabled. string ldapFilter = string.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(!(userAccountControl:1.2.840.113556.1.4.803:={1:D})))", accountName, UserAccountControl.ACCOUNTDISABLE)
有关常用Active Directory LDAP筛选器的示例,另请参阅Active Directory:LDAP语法筛选器。
这是你想要的枚举定义:
/// /// Flags that control the behavior of the user account. /// [Flags()] public enum UserAccountControl : int { /// /// The logon script is executed. /// SCRIPT = 0x00000001, /// /// The user account is disabled. /// ACCOUNTDISABLE = 0x00000002, /// /// The home directory is required. /// HOMEDIR_REQUIRED = 0x00000008, /// /// The account is currently locked out. /// LOCKOUT = 0x00000010, /// /// No password is required. /// PASSWD_NOTREQD = 0x00000020, /// /// The user cannot change the password. /// /// /// Note: You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. /// For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password. // PASSWD_CANT_CHANGE = 0x00000040, /// /// The user can send an encrypted password. /// ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x00000080, /// /// This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not /// to any domain that trusts this domain. Also known as a local user account. /// TEMP_DUPLICATE_ACCOUNT = 0x00000100, /// /// This is a default account type that represents a typical user. /// NORMAL_ACCOUNT = 0x00000200, /// /// This is a permit to trust account for a system domain that trusts other domains. /// INTERDOMAIN_TRUST_ACCOUNT = 0x00000800, /// /// This is a computer account for a computer that is a member of this domain. /// WORKSTATION_TRUST_ACCOUNT = 0x00001000, /// /// This is a computer account for a system backup domain controller that is a member of this domain. /// SERVER_TRUST_ACCOUNT = 0x00002000, /// /// Not used. /// Unused1 = 0x00004000, /// /// Not used. /// Unused2 = 0x00008000, /// /// The password for this account will never expire. /// DONT_EXPIRE_PASSWD = 0x00010000, /// /// This is an MNS logon account. /// MNS_LOGON_ACCOUNT = 0x00020000, /// /// The user must log on using a smart card. /// SMARTCARD_REQUIRED = 0x00040000, /// /// The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service /// can impersonate a client requesting the service. /// TRUSTED_FOR_DELEGATION = 0x00080000, /// /// The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation. /// NOT_DELEGATED = 0x00100000, /// /// Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys. /// USE_DES_KEY_ONLY = 0x00200000, /// /// This account does not require Kerberos pre-authentication for logon. /// DONT_REQUIRE_PREAUTH = 0x00400000, /// /// The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy. /// PASSWORD_EXPIRED = 0x00800000, /// /// The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly /// controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to /// other remote servers on the network. /// TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x01000000, /// /// /// PARTIAL_SECRETS_ACCOUNT = 0x04000000, /// /// /// USE_AES_KEYS = 0x08000000 }
- Active Directory,枚举用户组,COMexception
- 使用Novell.Directory.Ldap.NETStandard库进行C#netcore ldap身份validation
- C# – 跨多个Active Directory域搜索用户
- 扩展GroupPrincipal和Members属性
- GetAuthorizationGroups()抛出exception
- 如何在Nancy中针对Active Directory进行身份validation?
- 如何查找当前用户具有WriteProperty访问权限的ActiveDirectory中的所有组?
- Active Directory搜索的有效分页
- 如何使用c#使用DomainName获取AD中的OU名称列表?