Cannot find the Locked property in Active Directory (C#)

Question

First off I know there have been many posts on this topic however all of the information that I have found does not help in my situation. What is happening is that I cannot find where the property is for locking out a user in AD. I have used

link text

for everything else with AD and it has all worked however, the bit map the userAccountControl does not change if an account is locked out. Trying to access the lockoutTime returns an exception saying that it cannot find the property. The only thing that remotely works is the

user.InvokeGet("IsAccountLocked")

call, but it always returns false no matter the if the account is locked or not.

If anybody has any ideas it would be very helpful or a link that might help me out.

Thanks

Answer 1

If you're on .NET 2.0/3.0, you can use the following code, assuming you have an instance of a DirectoryEntry called user:

// get the "userAccountControl" property
int uac = Convert.ToInt32(user.Properties["userAccountControl"][0]);

const int ADS_UF_ACCOUNTDISABLE = 0x00000002;
const int ADS_UF_LOCKOUT = 0x00000010;

bool accountIsDisabled = (uac & ADS_UF_ACCOUNTDISABLE) == ADS_UF_ACCOUNTDISABLE;
bool accountIsLockedOut = (uac & ADS_UF_LOCKOUT) == ADS_UF_LOCKOUT;

Marc

Answer 2

If you are using .NET 3.5 you should use the UserPrincipal class in the System.DirectoryServices.AccountManagement namespace. This class has an IsAccountLockedOut() method as well as a property to get the AccountLockOutTime.

using (var context = new PrincipalContext( ContextType.Domain ))
{
     using (var user = UserPrincipal.FindByIdentity( context,
                                                     IdentityType.SamAccountName,
                                                     name ))
     {
          if (user.IsAccountLockedOut())
          {
              ... your code here...
          }
     }
}