Reputation:
Using C#, how do you check if a computer account is disabled in active directory?
How do you check if a computer account is disabled in Active Directory using C#/.NET
Upvotes: 14
Views: 27730
Answers (8)
Reputation: 13030
You can easily decode the userAccountControl property by converting your result to an enum.
int userAccountControlValue = 544;
UserAccountControl userAccountControl = (UserAccountControl) userAccountControlValue;
// This gets a comma separated string of the flag names that apply.
string userAccountControlFlagNames = userAccountControl.ToString();
// This is how you test for an individual flag.
bool isNormalAccount = (userAccountControl & UserAccountControl.NORMAL_ACCOUNT) == UserAccountControl.NORMAL_ACCOUNT;
bool isAccountDisabled = (userAccountControl & UserAccountControl.ACCOUNTDISABLE) == UserAccountControl.ACCOUNTDISABLE;
bool isAccountLockedOut = (userAccountControl & UserAccountControl.LOCKOUT) == UserAccountControl.LOCKOUT;
You can also use it to build an LDAP filter:
// To get a user that is disabled.
string ldapFilter = string.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(userAccountControl:1.2.840.113556.1.4.803:={1:D}))", accountName, UserAccountControl.ACCOUNTDISABLE)
// To get a user that is not disabled.
string ldapFilter = string.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(!(userAccountControl:1.2.840.113556.1.4.803:={1:D})))", accountName, UserAccountControl.ACCOUNTDISABLE)
Also see Active Directory: LDAP Syntax Filters for examples of commonly useful Active Directory LDAP filters.
Here's the enum definition that you want:
/// <summary>
/// Flags that control the behavior of the user account.
/// </summary>
[Flags()]
public enum UserAccountControl : int
{
/// <summary>
/// The logon script is executed.
///</summary>
SCRIPT = 0x00000001,
/// <summary>
/// The user account is disabled.
///</summary>
ACCOUNTDISABLE = 0x00000002,
/// <summary>
/// The home directory is required.
///</summary>
HOMEDIR_REQUIRED = 0x00000008,
/// <summary>
/// The account is currently locked out.
///</summary>
LOCKOUT = 0x00000010,
/// <summary>
/// No password is required.
///</summary>
PASSWD_NOTREQD = 0x00000020,
/// <summary>
/// The user cannot change the password.
///</summary>
/// <remarks>
/// Note: You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute.
/// For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
// </remarks>
PASSWD_CANT_CHANGE = 0x00000040,
/// <summary>
/// The user can send an encrypted password.
///</summary>
ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x00000080,
/// <summary>
/// This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not
/// to any domain that trusts this domain. Also known as a local user account.
///</summary>
TEMP_DUPLICATE_ACCOUNT = 0x00000100,
/// <summary>
/// This is a default account type that represents a typical user.
///</summary>
NORMAL_ACCOUNT = 0x00000200,
/// <summary>
/// This is a permit to trust account for a system domain that trusts other domains.
///</summary>
INTERDOMAIN_TRUST_ACCOUNT = 0x00000800,
/// <summary>
/// This is a computer account for a computer that is a member of this domain.
///</summary>
WORKSTATION_TRUST_ACCOUNT = 0x00001000,
/// <summary>
/// This is a computer account for a system backup domain controller that is a member of this domain.
///</summary>
SERVER_TRUST_ACCOUNT = 0x00002000,
/// <summary>
/// Not used.
///</summary>
Unused1 = 0x00004000,
/// <summary>
/// Not used.
///</summary>
Unused2 = 0x00008000,
/// <summary>
/// The password for this account will never expire.
///</summary>
DONT_EXPIRE_PASSWD = 0x00010000,
/// <summary>
/// This is an MNS logon account.
///</summary>
MNS_LOGON_ACCOUNT = 0x00020000,
/// <summary>
/// The user must log on using a smart card.
///</summary>
SMARTCARD_REQUIRED = 0x00040000,
/// <summary>
/// The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service
/// can impersonate a client requesting the service.
///</summary>
TRUSTED_FOR_DELEGATION = 0x00080000,
/// <summary>
/// The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.
///</summary>
NOT_DELEGATED = 0x00100000,
/// <summary>
/// Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
///</summary>
USE_DES_KEY_ONLY = 0x00200000,
/// <summary>
/// This account does not require Kerberos pre-authentication for logon.
///</summary>
DONT_REQUIRE_PREAUTH = 0x00400000,
/// <summary>
/// The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.
///</summary>
PASSWORD_EXPIRED = 0x00800000,
/// <summary>
/// The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly
/// controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to
/// other remote servers on the network.
///</summary>
TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x01000000,
/// <summary>
///
/// </summary>
PARTIAL_SECRETS_ACCOUNT = 0x04000000,
/// <summary>
///
/// </summary>
USE_AES_KEYS = 0x08000000
}
Upvotes: 1
Reputation: 1573
If you are using samAcountName or any other Identity field.. it is way simpler to use UserPrincipal.FindByIdentity method. And use the hybrid approach to Leandro López and Deepti. both their approaches are very good.. but very narrowly focused. More details on this flag is available on MSDN
Upvotes: 0
Reputation: 729
hey i got it finallyy :) here is my code hope it helps you
const int ADS_UF_ACCOUNTDISABLE = 0x00000002;
DirectoryEntry de = new DirectoryEntry();
de.Path = "LDAP://companyname.com";
DirectorySearcher objADSearcher = new DirectorySearcher(de);
de.AuthenticationType = AuthenticationTypes.Secure;
objADSearcher.SearchRoot = de;
objADSearcher.Filter = "(SAMAccountName=" + TextBox1.Text + ")";
SearchResult results = objADSearcher.FindOne();
if (results.ToString() !="")
{
int flags= Convert.ToInt32(results.Properties["userAccountControl"][0].ToString());
//for reference results.Properties["userAccountControl"][0].ToString().Equals("514");
if (Convert.ToBoolean(flags & ADS_UF_ACCOUNTDISABLE))
{
Response.Write("Account Disabled");
}
Upvotes: 2
Reputation: 987
Leandro López's answer is cool and works... the other option is we can do a LINQ for the userAccountControl with the values of disable and make those uses disabled
replie from userAccountControl are :
512 Enabled Account
514 Disabled Account
544 Enabled, Password Not Required
546 Disabled, Password Not Required
66048 Enabled, Password Doesn't Expire
66050 Disabled, Password Doesn't Expire
66080 Enabled, Password Doesn't Expire & Not Required
66082 Disabled, Password Doesn't Expire & Not Required
262656 Enabled, Smartcard Required
262658 Disabled, Smartcard Required
262688 Enabled, Smartcard Required, Password Not Required
262690 Disabled, Smartcard Required, Password Not Required
328192 Enabled, Smartcard Required, Password Doesn't Expire
328194 Disabled, Smartcard Required, Password Doesn't Expire
328224 Enabled, Smartcard Required, Password Doesn't Expire & Not Required
328226 Disabled, Smartcard Required, Password Doesn't Expire & Not Required
Upvotes: 4
Reputation: 332
If you are using .NET 3.5, you can use the new System.DirectoryServices.AccountManagment namespace methods to much more easily access Active Directory. The UserPrincipal object has an Enabled property that gives you what you are looking for.
There is a good overview of these routines in the January 2008 MSDN Magazine. You can read the article online here: Managing Directory Security Principals in the .NET Framework 3.5
Upvotes: 6
Reputation: 1810
Without checking bits, adding:
(userAccountControl:1.2.840.113556.1.4.803:=2)
to your filter should return only disabled users. Of course,
(!userAccountControl:1.2.840.113556.1.4.803:=2)
will ensure that users are not disabled if you'd prefer to go that route.
Upvotes: 3
Reputation: 2185
Try this:
class Program
{
static void Main(string[] args)
{
const string ldap = "LDAP://your-ldap-server-here";
using (DirectoryEntry conn = new DirectoryEntry(ldap))
{
using (DirectorySearcher searcher = new DirectorySearcher(conn))
{
searcher.Filter = "(|(samAccountName=userA)(samAccountName=userB))";
searcher.PropertiesToLoad.Add("samAccountName");
searcher.PropertiesToLoad.Add("userAccountControl");
using (SearchResultCollection results = searcher.FindAll())
{
foreach (SearchResult result in results)
{
int userAccountControl = Convert.ToInt32(result.Properties["userAccountControl"][0]);
string samAccountName = Convert.ToString(result.Properties["samAccountName"][0]);
bool disabled = ((userAccountControl & 2) > 0);
Console.WriteLine("{0} ({1:x}) :: {2}", samAccountName, userAccountControl, disabled);
}
}
}
}
Console.ReadLine();
}
}
The second bit of userAccountControl will be 1 if the account is disabled.
Upvotes: 26
Reputation: 17010
Try this entry:
http://www.codeproject.com/KB/system/everythingInAD.aspx#42
You will want to examine the User Account Control flags.
Upvotes: 7
Related Questions
- Disable User Account in Active Directory using C# Code
- querying LDAP - get account status (like disabled , active, etc.)
- How to get property (Account is disabled) in LDAP C#
- c# check if a windows account is locked out in a specific domain
- find if user account is enabled or disabled in AD
- How to check that windows account is disabled in C#?
- Active Directory (LDAP) - Check account locked out / Password expired
- Check if Active Directory Account is Locked out (WPF C#)
- Use C# to disable a computer in Active Directory
- How to check in C# if user account is active