使用 C#,如何检查活动目录中是否禁用了计算机帐户?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/591681/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Using C#, how do you check if a computer account is disabled in active directory?
提问by
How do you check if a computer account is disabled in Active Directory using C#/.NET
如何使用 C#/.NET 检查 Active Directory 中的计算机帐户是否被禁用
回答by Gregory A Beamer
Try this entry:
试试这个条目:
http://www.codeproject.com/KB/system/everythingInAD.aspx#42
http://www.codeproject.com/KB/system/everythingInAD.aspx#42
You will want to examine the User Account Control flags.
您需要检查用户帐户控制标志。
回答by Leandro López
Try this:
尝试这个:
class Program
{
static void Main(string[] args)
{
const string ldap = "LDAP://your-ldap-server-here";
using (DirectoryEntry conn = new DirectoryEntry(ldap))
{
using (DirectorySearcher searcher = new DirectorySearcher(conn))
{
searcher.Filter = "(|(samAccountName=userA)(samAccountName=userB))";
searcher.PropertiesToLoad.Add("samAccountName");
searcher.PropertiesToLoad.Add("userAccountControl");
using (SearchResultCollection results = searcher.FindAll())
{
foreach (SearchResult result in results)
{
int userAccountControl = Convert.ToInt32(result.Properties["userAccountControl"][0]);
string samAccountName = Convert.ToString(result.Properties["samAccountName"][0]);
bool disabled = ((userAccountControl & 2) > 0);
Console.WriteLine("{0} ({1:x}) :: {2}", samAccountName, userAccountControl, disabled);
}
}
}
}
Console.ReadLine();
}
}
The second bit of userAccountControlwill be 1 if the account is disabled.
userAccountControl如果帐户被禁用,第二位将为 1。
回答by vinny
Without checking bits, adding:
不检查位,添加:
(userAccountControl:1.2.840.113556.1.4.803:=2)
(userAccountControl:1.2.840.113556.1.4.803:=2)
to your filter should return only disabled users. Of course,
到您的过滤器应仅返回禁用的用户。当然,
(!userAccountControl:1.2.840.113556.1.4.803:=2)
(!userAccountControl:1.2.840.113556.1.4.803:=2)
will ensure that users are not disabled if you'd prefer to go that route.
如果您更愿意走那条路,将确保用户不会被禁用。
回答by DoniG
If you are using .NET 3.5, you can use the new System.DirectoryServices.AccountManagment namespace methods to much more easily access Active Directory. The UserPrincipal object has an Enabled property that gives you what you are looking for.
如果您使用的是 .NET 3.5,则可以使用新的 System.DirectoryServices.AccountManagment 命名空间方法来更轻松地访问 Active Directory。UserPrincipal 对象有一个 Enabled 属性,可以为您提供所需的内容。
There is a good overview of these routines in the January 2008 MSDN Magazine. You can read the article online here: Managing Directory Security Principals in the .NET Framework 3.5
2008 年 1 月的 MSDN 杂志中对这些例程进行了很好的概述。您可以在此处在线阅读文章:Managing Directory Security Principals in the .NET Framework 3.5
回答by Isaiyavan Babu Karan
Leandro López's answer is cool and works... the other option is we can do a LINQ for the userAccountControl with the values of disable and make those uses disabled
Leandro López 的回答很酷并且有效……另一个选择是我们可以为 userAccountControl 使用禁用值执行 LINQ 并禁用这些使用
replie from userAccountControl are :
来自 userAccountControl 的回复是:
512 Enabled Account
512 已启用帐户
514 Disabled Account
514 账号被禁用
544 Enabled, Password Not Required
544 启用,不需要密码
546 Disabled, Password Not Required
546 禁用,不需要密码
66048 Enabled, Password Doesn't Expire
66048 已启用,密码不会过期
66050 Disabled, Password Doesn't Expire
66050 已禁用,密码未过期
66080 Enabled, Password Doesn't Expire & Not Required
66080 已启用,密码不会过期且不需要
66082 Disabled, Password Doesn't Expire & Not Required
66082 已禁用,密码不会过期且不需要
262656 Enabled, Smartcard Required
262656 启用,需要智能卡
262658 Disabled, Smartcard Required
262658 已禁用,需要智能卡
262688 Enabled, Smartcard Required, Password Not Required
262688 启用,需要智能卡,不需要密码
262690 Disabled, Smartcard Required, Password Not Required
262690 禁用,需要智能卡,不需要密码
328192 Enabled, Smartcard Required, Password Doesn't Expire
328192 启用,需要智能卡,密码不会过期
328194 Disabled, Smartcard Required, Password Doesn't Expire
328194 已禁用,需要智能卡,密码不会过期
328224 Enabled, Smartcard Required, Password Doesn't Expire & Not Required
328224 已启用,需要智能卡,密码不会过期且不需要
328226 Disabled, Smartcard Required, Password Doesn't Expire & Not Required
328226 已禁用、需要智能卡、密码不会过期且不需要
回答by deepti
hey i got it finallyy :) here is my code hope it helps you
嘿,我终于明白了:) 这是我的代码,希望对你有帮助
const int ADS_UF_ACCOUNTDISABLE = 0x00000002;
const int ADS_UF_ACCOUNTDISABLE = 0x00000002;
DirectoryEntry de = new DirectoryEntry();
de.Path = "LDAP://companyname.com";
DirectorySearcher objADSearcher = new DirectorySearcher(de);
de.AuthenticationType = AuthenticationTypes.Secure;
objADSearcher.SearchRoot = de;
objADSearcher.Filter = "(SAMAccountName=" + TextBox1.Text + ")";
SearchResult results = objADSearcher.FindOne();
if (results.ToString() !="")
{
int flags= Convert.ToInt32(results.Properties["userAccountControl"][0].ToString());
//for reference results.Properties["userAccountControl"][0].ToString().Equals("514");
//参考结果。Properties["userAccountControl"][0].ToString().Equals("514");
if (Convert.ToBoolean(flags & ADS_UF_ACCOUNTDISABLE))
{
Response.Write("Account Disabled");
}
回答by Bhuvan
If you are using samAcountName or any other Identity field.. it is way simpler to use UserPrincipal.FindByIdentity method. And use the hybrid approach to Leandro López and Deepti. both their approaches are very good.. but very narrowly focused. More details on this flag is available on MSDN
如果您使用 samAcountName 或任何其他身份字段.. 使用 UserPrincipal.FindByIdentity 方法更简单。并对 Leandro López 和 Deepti 使用混合方法。他们的方法都非常好..但非常狭窄。MSDN上提供了有关此标志的更多详细信息
回答by JamieSee
You can easily decode the userAccountControl property by converting your result to an enum.
您可以通过将结果转换为枚举来轻松解码 userAccountControl 属性。
int userAccountControlValue = 544;
UserAccountControl userAccountControl = (UserAccountControl) userAccountControlValue;
// This gets a comma separated string of the flag names that apply.
string userAccountControlFlagNames = userAccountControl.ToString();
// This is how you test for an individual flag.
bool isNormalAccount = (userAccountControl & UserAccountControl.NORMAL_ACCOUNT) == UserAccountControl.NORMAL_ACCOUNT;
bool isAccountDisabled = (userAccountControl & UserAccountControl.ACCOUNTDISABLE) == UserAccountControl.ACCOUNTDISABLE;
bool isAccountLockedOut = (userAccountControl & UserAccountControl.LOCKOUT) == UserAccountControl.LOCKOUT;
You can also use it to build an LDAP filter:
您还可以使用它来构建 LDAP 过滤器:
// To get a user that is disabled.
string ldapFilter = string.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(userAccountControl:1.2.840.113556.1.4.803:={1:D}))", accountName, UserAccountControl.ACCOUNTDISABLE)
// To get a user that is not disabled.
string ldapFilter = string.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(!(userAccountControl:1.2.840.113556.1.4.803:={1:D})))", accountName, UserAccountControl.ACCOUNTDISABLE)
Also see Active Directory: LDAP Syntax Filtersfor examples of commonly useful Active Directory LDAP filters.
另请参阅Active Directory:LDAP 语法过滤器,了解常用 Active Directory LDAP 过滤器的示例。
Here's the enum definition that you want:
这是您想要的枚举定义:
/// <summary>
/// Flags that control the behavior of the user account.
/// </summary>
[Flags()]
public enum UserAccountControl : int
{
/// <summary>
/// The logon script is executed.
///</summary>
SCRIPT = 0x00000001,
/// <summary>
/// The user account is disabled.
///</summary>
ACCOUNTDISABLE = 0x00000002,
/// <summary>
/// The home directory is required.
///</summary>
HOMEDIR_REQUIRED = 0x00000008,
/// <summary>
/// The account is currently locked out.
///</summary>
LOCKOUT = 0x00000010,
/// <summary>
/// No password is required.
///</summary>
PASSWD_NOTREQD = 0x00000020,
/// <summary>
/// The user cannot change the password.
///</summary>
/// <remarks>
/// Note: You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute.
/// For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
// </remarks>
PASSWD_CANT_CHANGE = 0x00000040,
/// <summary>
/// The user can send an encrypted password.
///</summary>
ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x00000080,
/// <summary>
/// This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not
/// to any domain that trusts this domain. Also known as a local user account.
///</summary>
TEMP_DUPLICATE_ACCOUNT = 0x00000100,
/// <summary>
/// This is a default account type that represents a typical user.
///</summary>
NORMAL_ACCOUNT = 0x00000200,
/// <summary>
/// This is a permit to trust account for a system domain that trusts other domains.
///</summary>
INTERDOMAIN_TRUST_ACCOUNT = 0x00000800,
/// <summary>
/// This is a computer account for a computer that is a member of this domain.
///</summary>
WORKSTATION_TRUST_ACCOUNT = 0x00001000,
/// <summary>
/// This is a computer account for a system backup domain controller that is a member of this domain.
///</summary>
SERVER_TRUST_ACCOUNT = 0x00002000,
/// <summary>
/// Not used.
///</summary>
Unused1 = 0x00004000,
/// <summary>
/// Not used.
///</summary>
Unused2 = 0x00008000,
/// <summary>
/// The password for this account will never expire.
///</summary>
DONT_EXPIRE_PASSWD = 0x00010000,
/// <summary>
/// This is an MNS logon account.
///</summary>
MNS_LOGON_ACCOUNT = 0x00020000,
/// <summary>
/// The user must log on using a smart card.
///</summary>
SMARTCARD_REQUIRED = 0x00040000,
/// <summary>
/// The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service
/// can impersonate a client requesting the service.
///</summary>
TRUSTED_FOR_DELEGATION = 0x00080000,
/// <summary>
/// The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.
///</summary>
NOT_DELEGATED = 0x00100000,
/// <summary>
/// Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
///</summary>
USE_DES_KEY_ONLY = 0x00200000,
/// <summary>
/// This account does not require Kerberos pre-authentication for logon.
///</summary>
DONT_REQUIRE_PREAUTH = 0x00400000,
/// <summary>
/// The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.
///</summary>
PASSWORD_EXPIRED = 0x00800000,
/// <summary>
/// The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly
/// controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to
/// other remote servers on the network.
///</summary>
TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x01000000,
/// <summary>
///
/// </summary>
PARTIAL_SECRETS_ACCOUNT = 0x04000000,
/// <summary>
///
/// </summary>
USE_AES_KEYS = 0x08000000
}
