查找用户帐户是否在 AD 中启用或禁用
find if user account is enabled or disabled in AD
我需要确定用户帐户在 AD 中是启用还是禁用。
我找不到标志或 属性 "userAccountControl"。
这可以使用 USERPRINCIPAL class 来实现吗?
drop_persona1.Items.Clear();
string valor = drop_area.SelectedValue;
List<string> allUsers = new List<string>();
PrincipalContext ctx2 = new PrincipalContext(ContextType.Domain, "xxxxxxxx",
valor);
UserPrincipal qbeUser2 = new UserPrincipal(ctx2);
qbeUser2.Enabled = true; // activo para autenticacion
PrincipalSearcher srch2 = new PrincipalSearcher(qbeUser2);
srch2.QueryFilter = qbeUser2;
foreach (var found2 in srch2.FindAll().OrderBy(x=> x.DisplayName))
{
ListItem lst_user = new ListItem(found2.DisplayName, found2.SamAccountName);
drop_persona1.Items.Insert(drop_persona1.Items.Count, lst_user);
}
//}
}
此致
我没有测试过这个答案,但我相信它应该有效。
1) 使用 -
获取目录条目对象
UserPrincipal qbeUser2 = new UserPrincipal(ctx2);
var dirEntry = qbeUser2.GetUnderlyingObject() as DirectoryEntry;
2) 然后通过 -
检查帐户禁用状态
var status = IsAccountDisabled(dirEntry);
public static bool IsAccountDisabled(DirectoryEntry user)
{
string Uac = "userAccountControl";
if (user.NativeGuid == null) return false;
if (user.Properties[Uac] != null && user.Properties[Uac].Value != null)
{
var userFlags = (UserFlags)user.Properties[Uac].Value;
return userFlags.Contains(UserFlags.AccountDisabled);
}
return false;
}
3) 这是枚举 UserFlags -
[Flags]
public enum UserFlags
{
// Reference - Chapter 10 (from The .NET Developer's Guide to Directory Services Programming)
Script = 1, // 0x1
AccountDisabled = 2, // 0x2
HomeDirectoryRequired = 8, // 0x8
AccountLockedOut = 16, // 0x10
PasswordNotRequired = 32, // 0x20
PasswordCannotChange = 64, // 0x40
EncryptedTextPasswordAllowed = 128, // 0x80
TempDuplicateAccount = 256, // 0x100
NormalAccount = 512, // 0x200
InterDomainTrustAccount = 2048, // 0x800
WorkstationTrustAccount = 4096, // 0x1000
ServerTrustAccount = 8192, // 0x2000
PasswordDoesNotExpire = 65536, // 0x10000 (Also 66048 )
MnsLogonAccount = 131072, // 0x20000
SmartCardRequired = 262144, // 0x40000
TrustedForDelegation = 524288, // 0x80000
AccountNotDelegated = 1048576, // 0x100000
UseDesKeyOnly = 2097152, // 0x200000
DontRequirePreauth = 4194304, // 0x400000
PasswordExpired = 8388608, // 0x800000 (Applicable only in Window 2000 and Window Server 2003)
TrustedToAuthenticateForDelegation = 16777216, // 0x1000000
NoAuthDataRequired = 33554432 // 0x2000000
}
更新
这是在AD上测试的完整代码。它在我的测试中运行良好。
using System;
using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;
namespace DisableUsers
{
internal class Program
{
private static void Main()
{
const string sAMAccountName = "vikas"; // The sAMAccountName of AD user
var principalContext = new PrincipalContext(ContextType.Domain, "domainNameHere", "AdminUser", "AdminPass");
var userPrincipal = UserPrincipal.FindByIdentity(principalContext, sAMAccountName);
if (userPrincipal != null)
{
var dirEntry = userPrincipal.GetUnderlyingObject() as DirectoryEntry;
var status = IsAccountDisabled(dirEntry);
Console.WriteLine(status ? "Account {0} is disabled." : "Account {0} is enabled.", sAMAccountName);
}
else
{
Console.WriteLine("No user found for sAMAccountName '{0}'.", sAMAccountName);
}
Console.ReadLine();
}
public static bool IsAccountDisabled(DirectoryEntry user)
{
const string uac = "userAccountControl";
if (user.NativeGuid == null) return false;
if (user.Properties[uac] != null && user.Properties[uac].Value != null)
{
var userFlags = (UserFlags)user.Properties[uac].Value;
return userFlags.Contains(UserFlags.AccountDisabled);
}
return false;
}
}
public static class UserFlagExtensions
{
/// <summary>
/// Check if flags contains the specific user flag. This method is more efficient compared to 'HasFlag()'.
/// </summary>
/// <param name="haystack">The bunch of flags</param>
/// <param name="needle">The flag to look for.</param>
/// <returns>Return true if flag found in flags.</returns>
public static bool Contains(this UserFlags haystack, UserFlags needle)
{
return (haystack & needle) == needle;
}
}
[Flags]
public enum UserFlags
{
Script = 1, // 0x1
AccountDisabled = 2, // 0x2
HomeDirectoryRequired = 8, // 0x8
AccountLockedOut = 16, // 0x10
PasswordNotRequired = 32, // 0x20
PasswordCannotChange = 64, // 0x40
EncryptedTextPasswordAllowed = 128, // 0x80
TempDuplicateAccount = 256, // 0x100
NormalAccount = 512, // 0x200
InterDomainTrustAccount = 2048, // 0x800
WorkstationTrustAccount = 4096, // 0x1000
ServerTrustAccount = 8192, // 0x2000
PasswordDoesNotExpire = 65536, // 0x10000 (Also 66048 )
MnsLogonAccount = 131072, // 0x20000
SmartCardRequired = 262144, // 0x40000
TrustedForDelegation = 524288, // 0x80000
AccountNotDelegated = 1048576, // 0x100000
UseDesKeyOnly = 2097152, // 0x200000
DontRequirePreauth = 4194304, // 0x400000
PasswordExpired = 8388608, // 0x800000 (Applicable only in Window 2000 and Window Server 2003)
TrustedToAuthenticateForDelegation = 16777216, // 0x1000000
NoAuthDataRequired = 33554432 // 0x2000000
}
}
如果您只需要查明用户是启用还是禁用,您可以使用以下方法更简单一些:
PrincipalContext context = new PrincipalContext(ContextType.Domain);
UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, searchTextBox.Text.Trim());
if(user.Enabled == true) MessageBox.Show("Account enabled!");
else MessageBox.Show("Account disabled!");
我需要确定用户帐户在 AD 中是启用还是禁用。
我找不到标志或 属性 "userAccountControl"。 这可以使用 USERPRINCIPAL class 来实现吗?
drop_persona1.Items.Clear();
string valor = drop_area.SelectedValue;
List<string> allUsers = new List<string>();
PrincipalContext ctx2 = new PrincipalContext(ContextType.Domain, "xxxxxxxx",
valor);
UserPrincipal qbeUser2 = new UserPrincipal(ctx2);
qbeUser2.Enabled = true; // activo para autenticacion
PrincipalSearcher srch2 = new PrincipalSearcher(qbeUser2);
srch2.QueryFilter = qbeUser2;
foreach (var found2 in srch2.FindAll().OrderBy(x=> x.DisplayName))
{
ListItem lst_user = new ListItem(found2.DisplayName, found2.SamAccountName);
drop_persona1.Items.Insert(drop_persona1.Items.Count, lst_user);
}
//}
}
此致
我没有测试过这个答案,但我相信它应该有效。
1) 使用 -
获取目录条目对象UserPrincipal qbeUser2 = new UserPrincipal(ctx2);
var dirEntry = qbeUser2.GetUnderlyingObject() as DirectoryEntry;
2) 然后通过 -
检查帐户禁用状态var status = IsAccountDisabled(dirEntry);
public static bool IsAccountDisabled(DirectoryEntry user)
{
string Uac = "userAccountControl";
if (user.NativeGuid == null) return false;
if (user.Properties[Uac] != null && user.Properties[Uac].Value != null)
{
var userFlags = (UserFlags)user.Properties[Uac].Value;
return userFlags.Contains(UserFlags.AccountDisabled);
}
return false;
}
3) 这是枚举 UserFlags -
[Flags]
public enum UserFlags
{
// Reference - Chapter 10 (from The .NET Developer's Guide to Directory Services Programming)
Script = 1, // 0x1
AccountDisabled = 2, // 0x2
HomeDirectoryRequired = 8, // 0x8
AccountLockedOut = 16, // 0x10
PasswordNotRequired = 32, // 0x20
PasswordCannotChange = 64, // 0x40
EncryptedTextPasswordAllowed = 128, // 0x80
TempDuplicateAccount = 256, // 0x100
NormalAccount = 512, // 0x200
InterDomainTrustAccount = 2048, // 0x800
WorkstationTrustAccount = 4096, // 0x1000
ServerTrustAccount = 8192, // 0x2000
PasswordDoesNotExpire = 65536, // 0x10000 (Also 66048 )
MnsLogonAccount = 131072, // 0x20000
SmartCardRequired = 262144, // 0x40000
TrustedForDelegation = 524288, // 0x80000
AccountNotDelegated = 1048576, // 0x100000
UseDesKeyOnly = 2097152, // 0x200000
DontRequirePreauth = 4194304, // 0x400000
PasswordExpired = 8388608, // 0x800000 (Applicable only in Window 2000 and Window Server 2003)
TrustedToAuthenticateForDelegation = 16777216, // 0x1000000
NoAuthDataRequired = 33554432 // 0x2000000
}
更新
这是在AD上测试的完整代码。它在我的测试中运行良好。
using System;
using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;
namespace DisableUsers
{
internal class Program
{
private static void Main()
{
const string sAMAccountName = "vikas"; // The sAMAccountName of AD user
var principalContext = new PrincipalContext(ContextType.Domain, "domainNameHere", "AdminUser", "AdminPass");
var userPrincipal = UserPrincipal.FindByIdentity(principalContext, sAMAccountName);
if (userPrincipal != null)
{
var dirEntry = userPrincipal.GetUnderlyingObject() as DirectoryEntry;
var status = IsAccountDisabled(dirEntry);
Console.WriteLine(status ? "Account {0} is disabled." : "Account {0} is enabled.", sAMAccountName);
}
else
{
Console.WriteLine("No user found for sAMAccountName '{0}'.", sAMAccountName);
}
Console.ReadLine();
}
public static bool IsAccountDisabled(DirectoryEntry user)
{
const string uac = "userAccountControl";
if (user.NativeGuid == null) return false;
if (user.Properties[uac] != null && user.Properties[uac].Value != null)
{
var userFlags = (UserFlags)user.Properties[uac].Value;
return userFlags.Contains(UserFlags.AccountDisabled);
}
return false;
}
}
public static class UserFlagExtensions
{
/// <summary>
/// Check if flags contains the specific user flag. This method is more efficient compared to 'HasFlag()'.
/// </summary>
/// <param name="haystack">The bunch of flags</param>
/// <param name="needle">The flag to look for.</param>
/// <returns>Return true if flag found in flags.</returns>
public static bool Contains(this UserFlags haystack, UserFlags needle)
{
return (haystack & needle) == needle;
}
}
[Flags]
public enum UserFlags
{
Script = 1, // 0x1
AccountDisabled = 2, // 0x2
HomeDirectoryRequired = 8, // 0x8
AccountLockedOut = 16, // 0x10
PasswordNotRequired = 32, // 0x20
PasswordCannotChange = 64, // 0x40
EncryptedTextPasswordAllowed = 128, // 0x80
TempDuplicateAccount = 256, // 0x100
NormalAccount = 512, // 0x200
InterDomainTrustAccount = 2048, // 0x800
WorkstationTrustAccount = 4096, // 0x1000
ServerTrustAccount = 8192, // 0x2000
PasswordDoesNotExpire = 65536, // 0x10000 (Also 66048 )
MnsLogonAccount = 131072, // 0x20000
SmartCardRequired = 262144, // 0x40000
TrustedForDelegation = 524288, // 0x80000
AccountNotDelegated = 1048576, // 0x100000
UseDesKeyOnly = 2097152, // 0x200000
DontRequirePreauth = 4194304, // 0x400000
PasswordExpired = 8388608, // 0x800000 (Applicable only in Window 2000 and Window Server 2003)
TrustedToAuthenticateForDelegation = 16777216, // 0x1000000
NoAuthDataRequired = 33554432 // 0x2000000
}
}
如果您只需要查明用户是启用还是禁用,您可以使用以下方法更简单一些:
PrincipalContext context = new PrincipalContext(ContextType.Domain);
UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, searchTextBox.Text.Trim());
if(user.Enabled == true) MessageBox.Show("Account enabled!");
else MessageBox.Show("Account disabled!");