Active Directory LDAP - 锁定用户帐户
问题描述:
使用System.DirectoryServices.AccountManagement锁定Active Directory用户对象的最佳方式是什么?我可以确定一个帐户是否被锁定使用..Active Directory LDAP - 锁定用户帐户
UserPrincipal principal = new UserPrincipal(context);
bool locked = principal.IsAccountLockedOut();
如何锁定帐户?有没有办法做这样的事情的替代...
UserPrincipal principal = new UserPrincipal(context);
DirectoryEntry entry = (DirectoryEntry)principal.GetUnderlyingObject();
int val = (int)entry.Properties["userAccountControl"].Value;
entry.Properties["userAccountControl"].Value = val | 0x0010;
entry.CommitChanges();
答
锁定属性为只读顾名思义,这里是为什么:
此属性会是这样的定义:“自动锁定用户帐户,当无效的密码提供了几次“(多少次?我猜这是设置在GPO)
给开发人员一种方法来改变这个属性将冲突与上述定义...所以你不应该设置这个值,我认为AD安全机制会阻止你这样做。
但是,您可以启用\禁用我认为更接近您想要的用户。
希望这会有所帮助。
答
CodeProject's Everything AD article has some sample code on unlocking an account。我不确定这是否会给您所寻找的财产。
public void Unlock(string userDn)
{
try
{
DirectoryEntry uEntry = new DirectoryEntry(userDn);
uEntry.Properties["LockOutTime"].Value = 0; //unlock account
uEntry.CommitChanges(); //may not be needed but adding it anyways
uEntry.Close();
}
catch (System.DirectoryServices.DirectoryServicesCOMException E)
{
//DoSomethingWith --> E.Message.ToString();
}
}
答
此代码将工作于公元锁定用户
///
/// Locks a user account
///
/// The name of the user whose account you want to unlock
///
/// This actually trys to log the user in with a wrong password.
/// This in turn will lock the user out
///
public void LockAccount(string userName)
{
DirectoryEntry user = GetUser(userName);
string path = user.Path;
string badPassword = "SomeBadPassword";
int maxLoginAttempts = 10;
for (int i = 0; i < maxLoginAttempts; i++)
{
try
{
new DirectoryEntry(path, userName, badPassword).RefreshCache();
}
catch (Exception e)
{
}
}
user.Close();
}
答
一个很好的例子,我们可以在这里用户锁定状态就是我的回答
entryPC是DirectoryEntry的对象,在这里我们通过活动目录的入口路径
public bool IsLocked(DirectoryEntry entryPC)
{
if (entryPC.NativeGuid == null)
{
return false;
}
int flags = (int)entryPC.Properties["UserFlags"].Value;
bool check = Convert.ToBoolean(flags & 0x0010);
if (Convert.ToBoolean(flags & 0x0010))
{
return true;
}
else
{
return false;
}
}