Make sure the account you're using to disable the account has sufficient privileges to disable accounts. See this examplefrom Microsoft.

确保您用于禁用帐户的帐户具有足够的权限来禁用帐户。请参阅Microsoft 的此示例。

This will work once you have the directory entry object.

一旦您拥有目录条目对象，这将起作用。

DirectoryEntry de = result.GetDirectoryEntry();
int val = (int)de.Properties["userAccountControl"].Value;
de.Properties["userAccountControl"].Value = val | 0x0002;

This code will work to lock a user in AD

此代码将用于锁定 AD 中的用户

/// <summary>
/// Locks a user account
/// </summary>
/// <param name="userName">The name of the user whose account you want to unlock</param>
/// <remarks>
/// This actually trys to log the user in with a wrong password. 
/// This in turn will lock the user out
/// </remarks>
public void LockAccount(string userName)
{
    DirectoryEntry user = GetUser(userName);
    string path = user.Path;
    string badPassword = "SomeBadPassword";
    int maxLoginAttempts = 10;

    for (int i = 0; i &lt maxLoginAttempts; i++)
    {
        try
        {
            new DirectoryEntry(path, userName, badPassword).RefreshCache();
        }
        catch (Exception e)
        {

        }
    }
    user.Close();
}

Depending on your Active Directory policies, interactive login attempts may be required to lock an account. You can simulate those using the LogonUsermethod of advapi32.dll. In my tests, I have seen that running this loop 100 times does not guarantee 100 bad password attempts at the domain controller, so you should check the user is locked outand make more attempts if necessary.

根据您的 Active Directory 策略，可能需要尝试交互式登录才能锁定帐户。您可以使用LogonUseradvapi32.dll的方法模拟那些。在我的测试中，我已经看到运行这个循环 100 次并不能保证在域控制器上尝试 100 次错误的密码，因此您应该检查用户是否被锁定，并在必要时进行更多尝试。

The bottom line for this is that you should be disabling the account instead of trying to lock it. There is no functional difference between locked and disabled accounts. The code below is a hack.

这样做的底线是您应该禁用该帐户而不是尝试锁定它。有锁定并禁用帐户的功能没有差异。下面的代码是一个黑客。

using System;
using System.Runtime.InteropServices;

namespace Test
{
    class Program
    {
        static void Main(string[] args)
        {
            IntPtr token = IntPtr.Zero;
            string userPrincipalName = "[email protected]";
            string authority = null; // Can be null when using UPN (user principal name)
            string badPassword = "bad";

            int maxTries = 100;
            bool res = false;

            for (var i = 0; i < maxTries; i++)
            {
                res = LogonUser(userPrincipalName, authority, badPassword, LogonSessionType.Interactive, LogonProvider.Default, out token);
                CloseHandle(token);
            }
        }

        [DllImport("advapi32.dll", SetLastError = true)]
        static extern bool LogonUser(
          string principal,
          string authority,
          string password,
          LogonSessionType logonType,
          LogonProvider logonProvider,
          out IntPtr token);

        [DllImport("kernel32.dll", SetLastError = true)]
        static extern bool CloseHandle(IntPtr handle);
        enum LogonSessionType : uint
        {
            Interactive = 2,
            Network,
            Batch,
            Service,
            NetworkCleartext = 8,
            NewCredentials
        }

        enum LogonProvider : uint
        {
            Default = 0, // default for platform (use this!)
            WinNT35,     // sends smoke signals to authority
            WinNT40,     // uses NTLM
            WinNT50      // negotiates Kerb or NTLM
        }
    }
}