C# Active Directory 中的 userAccountControl
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10231914/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
userAccountControl in Active Directory
提问by TTCG
I want to know the current value of the userAccountControl and determine which stage it is in
我想知道 userAccountControl 的当前值并确定它处于哪个阶段
Ref: http://support.microsoft.com/kb/305144/en-us
参考:http: //support.microsoft.com/kb/305144/en-us
According to the above documentation, it should return the values which are 2 to the power N.
根据上述文档,它应该返回 2 的 N 次幂的值。
But when I run my c# program it returns the value 544 for the normal account and 546 for the disabled account. I suspect that they are decimal numbers. But how I could link back to the values as shown in the reference?
但是当我运行我的 c# 程序时,它为普通帐户返回值 544,为禁用帐户返回值 546。我怀疑它们是十进制数。但是我如何才能链接回参考中显示的值?
Thanks.
谢谢。
采纳答案by marc_s
- 544 = hex 0x220
- 546 = hex 0x222
- 544 = 十六进制 0x220
- 546 = 十六进制 0x222
According to this list here, this means:
根据这里的列表,这意味着:
0x200 = normal account
0x020 = passwd_notreqd = password not required
0x002 = account disabled
So
所以
- a value of 544 (decimal) is
0x220hex and means: normal account, password not required - a value of 546 (decimal) is
0x222hex and means: normal account, disabled, password not required
- 值 544(十进制)是
0x220十六进制,表示:普通帐户,不需要密码 - 值 546(十进制)是
0x222十六进制,表示:普通帐户、禁用、不需要密码
回答by JamieSee
You can easily decode this by converting your result to an enum.
您可以通过将结果转换为枚举来轻松解码。
int userAccountControlValue = 544;
UserAccountControl userAccountControl = (UserAccountControl) userAccountControlValue;
// This gets a comma separated string of the flag names that apply.
string userAccountControlFlagNames = userAccountControl.ToString();
// This is how you test for an individual flag.
bool isNormalAccount = (userAccountControl & UserAccountControl.NORMAL_ACCOUNT) == UserAccountControl.NORMAL_ACCOUNT;
bool isAccountDisabled = (userAccountControl & UserAccountControl.ACCOUNTDISABLE) == UserAccountControl.ACCOUNTDISABLE;
bool isAccountLockedOut = (userAccountControl & UserAccountControl.LOCKOUT) == UserAccountControl.LOCKOUT;
Here's the enum definition that you want:
这是您想要的枚举定义:
/// <summary>
/// Flags that control the behavior of the user account.
/// </summary>
[Flags()]
public enum UserAccountControl : int
{
/// <summary>
/// The logon script is executed.
///</summary>
SCRIPT = 0x00000001,
/// <summary>
/// The user account is disabled.
///</summary>
ACCOUNTDISABLE = 0x00000002,
/// <summary>
/// The home directory is required.
///</summary>
HOMEDIR_REQUIRED = 0x00000008,
/// <summary>
/// The account is currently locked out.
///</summary>
LOCKOUT = 0x00000010,
/// <summary>
/// No password is required.
///</summary>
PASSWD_NOTREQD = 0x00000020,
/// <summary>
/// The user cannot change the password.
///</summary>
/// <remarks>
/// Note: You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute.
/// For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
// </remarks>
PASSWD_CANT_CHANGE = 0x00000040,
/// <summary>
/// The user can send an encrypted password.
///</summary>
ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x00000080,
/// <summary>
/// This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not
/// to any domain that trusts this domain. Also known as a local user account.
///</summary>
TEMP_DUPLICATE_ACCOUNT = 0x00000100,
/// <summary>
/// This is a default account type that represents a typical user.
///</summary>
NORMAL_ACCOUNT = 0x00000200,
/// <summary>
/// This is a permit to trust account for a system domain that trusts other domains.
///</summary>
INTERDOMAIN_TRUST_ACCOUNT = 0x00000800,
/// <summary>
/// This is a computer account for a computer that is a member of this domain.
///</summary>
WORKSTATION_TRUST_ACCOUNT = 0x00001000,
/// <summary>
/// This is a computer account for a system backup domain controller that is a member of this domain.
///</summary>
SERVER_TRUST_ACCOUNT = 0x00002000,
/// <summary>
/// Not used.
///</summary>
Unused1 = 0x00004000,
/// <summary>
/// Not used.
///</summary>
Unused2 = 0x00008000,
/// <summary>
/// The password for this account will never expire.
///</summary>
DONT_EXPIRE_PASSWD = 0x00010000,
/// <summary>
/// This is an MNS logon account.
///</summary>
MNS_LOGON_ACCOUNT = 0x00020000,
/// <summary>
/// The user must log on using a smart card.
///</summary>
SMARTCARD_REQUIRED = 0x00040000,
/// <summary>
/// The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service
/// can impersonate a client requesting the service.
///</summary>
TRUSTED_FOR_DELEGATION = 0x00080000,
/// <summary>
/// The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.
///</summary>
NOT_DELEGATED = 0x00100000,
/// <summary>
/// Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
///</summary>
USE_DES_KEY_ONLY = 0x00200000,
/// <summary>
/// This account does not require Kerberos pre-authentication for logon.
///</summary>
DONT_REQUIRE_PREAUTH = 0x00400000,
/// <summary>
/// The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.
///</summary>
PASSWORD_EXPIRED = 0x00800000,
/// <summary>
/// The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly
/// controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to
/// other remote servers on the network.
///</summary>
TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x01000000,
/// <summary>
///
/// </summary>
PARTIAL_SECRETS_ACCOUNT = 0x04000000,
/// <summary>
///
/// </summary>
USE_AES_KEYS = 0x08000000
}
回答by Ken
Its a bitmap. Each bit in a word is either ON or OFF (0 or 1). Its not really a number its more like a row of switches, each one on or off. Operating systems use them internally because they can manipulate them very quickly by logically comparing them to bitmasks.
它的位图。一个字中的每一位要么是 ON 要么是 OFF(0 或 1)。它不是真正的数字,它更像是一排开关,每个开关都打开或关闭。操作系统在内部使用它们,因为它们可以通过将它们与位掩码进行逻辑比较来非常快速地操作它们。
The LDIF representation of the attribute can show the result as a decimal number (equivalent to the binary mumber that would be represented by the mask if it was a number - it isn't really!) And its pretty easy to decode, because basically its made by adding some powers of 2 together.
属性的 LDIF 表示可以将结果显示为十进制数(相当于如果是数字,则掩码将表示的二进制数字 - 它不是真的!)而且它很容易解码,因为基本上它的通过将一些 2 的幂相加而成。
For example:
例如:
512 = normal account
514 = 512 + 2 = normal account, disabled
546 = 512 + 32 + 2 = normal account, disabled, no password required
2080 = 2048 + 32 = Interdomain trust, no password required
66048 = 65536 + 512 = normal account. password never expires
66050 = 65536 + 512 + 2 = normal account. password never expires, disabled
66080 = 65536 + 512 + 32 = normal account. password never expires, no password required
