find if user account is enabled or disabled in AD

前端 未结 2 1483
情书的邮戳
情书的邮戳 2021-02-20 05:37

I need to find if user account is enabled or disabled in AD.

i Cant find the flag or property \"userAccountControl\". is this can be achieved using USER

2条回答
  •  别那么骄傲
    2021-02-20 06:04

    I had not tested this answer but I believe it should work.

    1) Get directory entry object using -

    UserPrincipal qbeUser2 = new UserPrincipal(ctx2);
    var dirEntry = qbeUser2.GetUnderlyingObject() as DirectoryEntry;
    

    2) Then check for account disable status by -

    var status = IsAccountDisabled(dirEntry);
    public static bool IsAccountDisabled(DirectoryEntry user)
            {
                string Uac = "userAccountControl";
                if (user.NativeGuid == null) return false;
    
                if (user.Properties[Uac] != null && user.Properties[Uac].Value != null)
                {
                    var userFlags = (UserFlags)user.Properties[Uac].Value;
                    return userFlags.Contains(UserFlags.AccountDisabled);
                }
    
                return false;
            }
    

    3) Here is the enum UserFlags -

    [Flags]
    public enum UserFlags
    {
        // Reference - Chapter 10 (from The .NET Developer's Guide to Directory Services Programming)
    
        Script = 1,                                     // 0x1
        AccountDisabled = 2,                            // 0x2
        HomeDirectoryRequired = 8,                      // 0x8
        AccountLockedOut = 16,                          // 0x10
        PasswordNotRequired = 32,                       // 0x20
        PasswordCannotChange = 64,                      // 0x40
        EncryptedTextPasswordAllowed = 128,             // 0x80
        TempDuplicateAccount = 256,                     // 0x100
        NormalAccount = 512,                            // 0x200
        InterDomainTrustAccount = 2048,                 // 0x800
        WorkstationTrustAccount = 4096,                 // 0x1000
        ServerTrustAccount = 8192,                      // 0x2000
        PasswordDoesNotExpire = 65536,                  // 0x10000 (Also 66048 )
        MnsLogonAccount = 131072,                       // 0x20000
        SmartCardRequired = 262144,                     // 0x40000
        TrustedForDelegation = 524288,                  // 0x80000
        AccountNotDelegated = 1048576,                  // 0x100000
        UseDesKeyOnly = 2097152,                        // 0x200000
        DontRequirePreauth = 4194304,                   // 0x400000
        PasswordExpired = 8388608,                      // 0x800000 (Applicable only in Window 2000 and Window Server 2003)
        TrustedToAuthenticateForDelegation = 16777216,  // 0x1000000
        NoAuthDataRequired = 33554432                   // 0x2000000
    }
    

    Update

    Here is the full code which is tested on AD. It worked fine in my testing.

    using System;
    using System.DirectoryServices;
    using System.DirectoryServices.AccountManagement;
    
    namespace DisableUsers
    {
    internal class Program
    {
        private static void Main()
        {
            const string sAMAccountName = "vikas"; // The sAMAccountName of AD user
            var principalContext = new PrincipalContext(ContextType.Domain, "domainNameHere", "AdminUser", "AdminPass");
            var userPrincipal = UserPrincipal.FindByIdentity(principalContext, sAMAccountName);
    
            if (userPrincipal != null)
            {
                var dirEntry = userPrincipal.GetUnderlyingObject() as DirectoryEntry;
                var status = IsAccountDisabled(dirEntry);
                Console.WriteLine(status ? "Account {0} is disabled." : "Account {0} is enabled.", sAMAccountName);
            }
            else
            {
                Console.WriteLine("No user found for sAMAccountName '{0}'.", sAMAccountName);
            }
    
            Console.ReadLine();
        }
    
        public static bool IsAccountDisabled(DirectoryEntry user)
        {
            const string uac = "userAccountControl";
            if (user.NativeGuid == null) return false;
    
            if (user.Properties[uac] != null && user.Properties[uac].Value != null)
            {
                var userFlags = (UserFlags)user.Properties[uac].Value;
                return userFlags.Contains(UserFlags.AccountDisabled);
            }
    
            return false;
        }
    }
    
    public static class UserFlagExtensions
    {
        /// 
        /// Check if flags contains the specific user flag. This method is more efficient compared to 'HasFlag()'.
        /// 
        /// The bunch of flags
        /// The flag to look for.
        /// Return true if flag found in flags.
        public static bool Contains(this UserFlags haystack, UserFlags needle)
        {
            return (haystack & needle) == needle;
        }
    }
    
    [Flags]
    public enum UserFlags
    {
        Script = 1,                                     // 0x1
        AccountDisabled = 2,                            // 0x2
        HomeDirectoryRequired = 8,                      // 0x8
        AccountLockedOut = 16,                          // 0x10
        PasswordNotRequired = 32,                       // 0x20
        PasswordCannotChange = 64,                      // 0x40
        EncryptedTextPasswordAllowed = 128,             // 0x80
        TempDuplicateAccount = 256,                     // 0x100
        NormalAccount = 512,                            // 0x200
        InterDomainTrustAccount = 2048,                 // 0x800
        WorkstationTrustAccount = 4096,                 // 0x1000
        ServerTrustAccount = 8192,                      // 0x2000
        PasswordDoesNotExpire = 65536,                  // 0x10000 (Also 66048 )
        MnsLogonAccount = 131072,                       // 0x20000
        SmartCardRequired = 262144,                     // 0x40000
        TrustedForDelegation = 524288,                  // 0x80000
        AccountNotDelegated = 1048576,                  // 0x100000
        UseDesKeyOnly = 2097152,                        // 0x200000
        DontRequirePreauth = 4194304,                   // 0x400000
        PasswordExpired = 8388608,                      // 0x800000 (Applicable only in Window 2000 and Window Server 2003)
        TrustedToAuthenticateForDelegation = 16777216,  // 0x1000000
        NoAuthDataRequired = 33554432                   // 0x2000000
    }
    }
    

提交回复
热议问题