ADSI Account Lockout

  • Thread starter Thread starter Arran Pearce
  • Start date Start date
A

Arran Pearce

Hi,

I am looking for a way to use System.DirectoryServices to find all users on
a domain whos accounts are either locked out or disabled. I have used
ADSIEdit and the mmc schema add-in to try and find properties for these
things but have not had any luck so far. Also i did a search on the
Platform SDK doc's. It has examples in VB and C++ but these are not using
DotNet and dont give any hint to a property that may be used. They seem to
call a method directly on a object, and i am sure that method is not
available as part of a DirectoryEntry class.

I have a feeling i may need to do a Invoke (as you do when you reset a users
password from DotNet) if i do have to do this then how can i do a search of
all users in a domain?

I would also like to be able to Enable or Disable a account from my
application (This is Account Lockout and Account Disabled).

thanks for any help anyone can offer.

Arran
 
Hi,

I am looking for a way to use System.DirectoryServices to find all
users on a domain whos accounts are either locked out or disabled. I
have used ADSIEdit and the mmc schema add-in to try and find
properties for these things but have not had any luck so far. Also i
did a search on the Platform SDK doc's. It has examples in VB and C++
but these are not using DotNet and dont give any hint to a property
that may be used. They seem to call a method directly on a object,
and i am sure that method is not available as part of a DirectoryEntry
class.

I have a feeling i may need to do a Invoke as you do when you reset a
users password from DotNet) if i do have to do this then how can i do
a search of all users in a domain?

I would also like to be able to Enable or Disable a account from my
application (This is Account Lockout and Account Disabled).

thanks for any help anyone can offer.

Arran
Click to expand...


When you have your DirectoryEntry with a User (ie deUser) check the
userAccountControl Flag Property:

deUser["userAccountControl"]

if the account is looked due to expiration you may want to check

deUser["accountExpires"]
 
Hi Arran,

Just as Peter said, you should use the userAccountControl property.
For Lockout and Disabled acount, you should refer to ADS_UF_LOCKOUT and
ADS_UF_ACCOUNTDISABLE flag which are defined in ADS_USER_FLAG_ENUM enum.
Please refer to ADS_USER_FLAG_ENUM enum at the link below:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi
/ads_user_flag_enum.asp

You also can find a small sample of how to enable and disable a user acount:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/netd
s/enabling_and_disabling_the_user_account.asp

If you still have any questions, please feel free to let me know.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| From: "Arran Pearce" <[email protected]>
| Subject: ADSI Account Lockout
| Date: Thu, 23 Oct 2003 19:58:59 +0100
| Lines: 23
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.dotnet.languages.csharp
| NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworld.com
213.122.124.127
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.languages.csharp:193614
| X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
|
| Hi,
|
| I am looking for a way to use System.DirectoryServices to find all users
on
| a domain whos accounts are either locked out or disabled. I have used
| ADSIEdit and the mmc schema add-in to try and find properties for these
| things but have not had any luck so far. Also i did a search on the
| Platform SDK doc's. It has examples in VB and C++ but these are not using
| DotNet and dont give any hint to a property that may be used. They seem
to
| call a method directly on a object, and i am sure that method is not
| available as part of a DirectoryEntry class.
|
| I have a feeling i may need to do a Invoke (as you do when you reset a
users
| password from DotNet) if i do have to do this then how can i do a search
of
| all users in a domain?
|
| I would also like to be able to Enable or Disable a account from my
| application (This is Account Lockout and Account Disabled).
|
| thanks for any help anyone can offer.
|
| Arran
|
|
|
 
Thanks for all your help.


"Jeffrey Tan[MSFT]" said:
Hi Arran,

Just as Peter said, you should use the userAccountControl property.
For Lockout and Disabled acount, you should refer to ADS_UF_LOCKOUT and
ADS_UF_ACCOUNTDISABLE flag which are defined in ADS_USER_FLAG_ENUM enum.
Please refer to ADS_USER_FLAG_ENUM enum at the link below:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi
/ads_user_flag_enum.asp

You also can find a small sample of how to enable and disable a user acount:http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/netd
s/enabling_and_disabling_the_user_account.asp

If you still have any questions, please feel free to let me know.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| From: "Arran Pearce" <[email protected]>
| Subject: ADSI Account Lockout
| Date: Thu, 23 Oct 2003 19:58:59 +0100
| Lines: 23
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.dotnet.languages.csharp
| NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworld.com
213.122.124.127
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.languages.csharp:193614
| X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
|
| Hi,
|
| I am looking for a way to use System.DirectoryServices to find all users
on
| a domain whos accounts are either locked out or disabled. I have used
| ADSIEdit and the mmc schema add-in to try and find properties for these
| things but have not had any luck so far. Also i did a search on the
| Platform SDK doc's. It has examples in VB and C++ but these are not using
| DotNet and dont give any hint to a property that may be used. They seem
to
| call a method directly on a object, and i am sure that method is not
| available as part of a DirectoryEntry class.
|
| I have a feeling i may need to do a Invoke (as you do when you reset a
users
| password from DotNet) if i do have to do this then how can i do a search
of
| all users in a domain?
|
| I would also like to be able to Enable or Disable a account from my
| application (This is Account Lockout and Account Disabled).
|
| thanks for any help anyone can offer.
|
| Arran
|
|
|
Click to expand...
 
Hi Arran,

If you still have anything unclear, please feel free to tell me.
Have a nice weekand.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| From: "Arran Pearce" <[email protected]>
| References: <#[email protected]>
<#HAV#[email protected]>
| Subject: Re: ADSI Account Lockout
| Date: Fri, 24 Oct 2003 19:12:12 +0100
| Lines: 81
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.dotnet.languages.csharp
| NNTP-Posting-Host: host213-122-88-5.in-addr.btopenworld.com 213.122.88.5
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.languages.csharp:193875
| X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
|
| Thanks for all your help.
|
|
| | >
| > Hi Arran,
| >
| > Just as Peter said, you should use the userAccountControl property.
| > For Lockout and Disabled acount, you should refer to ADS_UF_LOCKOUT and
| > ADS_UF_ACCOUNTDISABLE flag which are defined in ADS_USER_FLAG_ENUM enum.
| > Please refer to ADS_USER_FLAG_ENUM enum at the link below:
| >
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi
| > /ads_user_flag_enum.asp
| >
| > You also can find a small sample of how to enable and disable a user
| acount:
| >
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/netd
| > s/enabling_and_disabling_the_user_account.asp
| >
| > If you still have any questions, please feel free to let me know.
| >
| > Best regards,
| > Jeffrey Tan
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| > This posting is provided "as is" with no warranties and confers no
rights.
| >
| > --------------------
| > | From: "Arran Pearce" <[email protected]>
| > | Subject: ADSI Account Lockout
| > | Date: Thu, 23 Oct 2003 19:58:59 +0100
| > | Lines: 23
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | Message-ID: <#[email protected]>
| > | Newsgroups: microsoft.public.dotnet.languages.csharp
| > | NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworld.com
| > 213.122.124.127
| > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| > | Xref: cpmsftngxa06.phx.gbl
| microsoft.public.dotnet.languages.csharp:193614
| > | X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
| > |
| > | Hi,
| > |
| > | I am looking for a way to use System.DirectoryServices to find all
users
| > on
| > | a domain whos accounts are either locked out or disabled. I have used
| > | ADSIEdit and the mmc schema add-in to try and find properties for
these
| > | things but have not had any luck so far. Also i did a search on the
| > | Platform SDK doc's. It has examples in VB and C++ but these are not
| using
| > | DotNet and dont give any hint to a property that may be used. They
seem
| > to
| > | call a method directly on a object, and i am sure that method is not
| > | available as part of a DirectoryEntry class.
| > |
| > | I have a feeling i may need to do a Invoke (as you do when you reset a
| > users
| > | password from DotNet) if i do have to do this then how can i do a
| search
| > of
| > | all users in a domain?
| > |
| > | I would also like to be able to Enable or Disable a account from my
| > | application (This is Account Lockout and Account Disabled).
| > |
| > | thanks for any help anyone can offer.
| > |
| > | Arran
| > |
| > |
| > |
| >
|
|
|
 
In the example for enable or disable the account it has this:

int val = (int) usr.Properties["userAccountControl"].Value;
usr.Properties["userAccountControl"].Value = val | ADS_UF_ACCOUNTDISABLE;

and

int val = (int) usr.Properties["userAccountControl"].Value;
usr.Properties["userAccountControl"].Value = val & ~ADS_UF_ACCOUNTDISABLE;

What is happening with the "val | ADS_UF_ACCOUNTDISABLE" and "val &
~ADS_UF_ACCOUNTDISABLE"?



"Jeffrey Tan[MSFT]" said:
Hi Arran,

If you still have anything unclear, please feel free to tell me.
Have a nice weekand.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| From: "Arran Pearce" <[email protected]>
| References: <#[email protected]>
<#HAV#[email protected]>
| Subject: Re: ADSI Account Lockout
| Date: Fri, 24 Oct 2003 19:12:12 +0100
| Lines: 81
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.dotnet.languages.csharp
| NNTP-Posting-Host: host213-122-88-5.in-addr.btopenworld.com 213.122.88.5
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.languages.csharp:193875
| X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
|
| Thanks for all your help.
|
|
| | >
| > Hi Arran,
| >
| > Just as Peter said, you should use the userAccountControl property.
| > For Lockout and Disabled acount, you should refer to ADS_UF_LOCKOUT and
| > ADS_UF_ACCOUNTDISABLE flag which are defined in ADS_USER_FLAG_ENUM enum.
| > Please refer to ADS_USER_FLAG_ENUM enum at the link below:
| >
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi
| > /ads_user_flag_enum.asp
| >
| > You also can find a small sample of how to enable and disable a user
| acount:
| >
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/netd
| > s/enabling_and_disabling_the_user_account.asp
| >
| > If you still have any questions, please feel free to let me know.
| >
| > Best regards,
| > Jeffrey Tan
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| > This posting is provided "as is" with no warranties and confers no
rights.
| >
| > --------------------
| > | From: "Arran Pearce" <[email protected]>
| > | Subject: ADSI Account Lockout
| > | Date: Thu, 23 Oct 2003 19:58:59 +0100
| > | Lines: 23
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | Message-ID: <#[email protected]>
| > | Newsgroups: microsoft.public.dotnet.languages.csharp
| > | NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworld.com
| > 213.122.124.127
| > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| > | Xref: cpmsftngxa06.phx.gbl
| microsoft.public.dotnet.languages.csharp:193614
| > | X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
| > |
| > | Hi,
| > |
| > | I am looking for a way to use System.DirectoryServices to find all
users
| > on
| > | a domain whos accounts are either locked out or disabled. I have used
| > | ADSIEdit and the mmc schema add-in to try and find properties for
these
| > | things but have not had any luck so far. Also i did a search on the
| > | Platform SDK doc's. It has examples in VB and C++ but these are not
| using
| > | DotNet and dont give any hint to a property that may be used. They
seem
| > to
| > | call a method directly on a object, and i am sure that method is not
| > | available as part of a DirectoryEntry class.
| > |
| > | I have a feeling i may need to do a Invoke (as you do when you reset a
| > users
| > | password from DotNet) if i do have to do this then how can i do a
| search
| > of
| > | all users in a domain?
| > |
| > | I would also like to be able to Enable or Disable a account from my
| > | application (This is Account Lockout and Account Disabled).
| > |
| > | thanks for any help anyone can offer.
| > |
| > | Arran
| > |
| > |
| > |
| >
|
|
|
Click to expand...
 
(e-mail address removed) ("Jeffrey Tan[MSFT]") wrote in

Hi Jeffrey,
If you still have anything unclear, please feel free to tell me.
Have a nice weekand.
Click to expand...

Although I've already worked a lot with DirectyServices I'd have a question
about AccountExpiration.

In the Platform SDK I've learned that AccountExpires is disabled if it has
the value of -1 or a DateTime value if enabled. That's fine with C++. But
with directoryServices I get a DateTime property and I can't set the value
to -1.

How can I disable AccountExpires without falling back to unmanaged code or
COMInterop, P/Invoke calls?
 
Hi Peter,

In .Net, when you use DirectoryEntry to disable AccountExpires, I think you
can just set its value to -1, no need to convert -1 to DateTime object.
Because, the Value of PropertyValueCollection is just a object.

Something like this:
DirectoryEntry usr = new DirectoryEntry("LDAP://CN=Jeff smith, OU=Sales,
DC=Fabrikam, DC=Com")
DateTime dt = (DateTime) usr.Properties["AccountExpires"].Value;
usr.Properties["AccountExpires"].Value = -1;
usr.CommitChanges();

Anything wrong with doing this?

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| Subject: Re: ADSI Account Lockout
| From: Peter Koen <koen-newsreply&snusnu.at>
| References: <#[email protected]>
<#HAV#[email protected]>
<#[email protected]>
<7Nh#[email protected]>
| Organization: Koen Electronic Media Agency
| User-Agent: Xnews/5.04.25
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.languages.csharp
| Date: Sat, 25 Oct 2003 10:29:54 -0700
| NNTP-Posting-Host: ist.doch.alles.nur.belangloses.blablabla.at
212.24.113.98
| Lines: 1
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.languages.csharp:194035
| X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
|
| (e-mail address removed) ("Jeffrey Tan[MSFT]") wrote in
| |
| Hi Jeffrey,
|
| > If you still have anything unclear, please feel free to tell me.
| > Have a nice weekand.
|
| Although I've already worked a lot with DirectyServices I'd have a
question
| about AccountExpiration.
|
| In the Platform SDK I've learned that AccountExpires is disabled if it
has
| the value of -1 or a DateTime value if enabled. That's fine with C++. But
| with directoryServices I get a DateTime property and I can't set the
value
| to -1.
|
| How can I disable AccountExpires without falling back to unmanaged code
or
| COMInterop, P/Invoke calls?
|
| --
| best regards
|
| Peter Koen
| -----------------------------------
| MCAD, CAI/R, CAI/S, CASE/RS, CAT/RS
| http://www.kema.at
|
 
Hi Arran,

~, |, & are the bitwise operators of C# language.
You can find ADS_UF_ACCOUNTDISABLEa in ADS_USER_FLAG_ENUM:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi
/ads_user_flag_enum.asp
that ADS_UF_ACCOUNTDISABLE= 0x0002;

0x0002's binary expression is 0000,0000,0000,0010, so ~0x0002 is
1111,1111,1111,1101.
val & ~ADS_UF_ACCOUNTDISABLE equals val&1111,1111,1111,1101 which makes all
the other bits stay the same value as before, only the second bit becomes 0.
Then, when invoke CommitChanges(), .Net Framework will check second bit of
userAccountControl property, and 0 means enable.

Alike, val | ADS_UF_ACCOUNTDISABLE equals valu| 0000,0000,0000,0010 which
makes all bits stay the same, second bit becomes 1.
This makes diable the user account.

Hope I explain clear.
If you still have any unclear, please feel free to tell me.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| From: "Arran Pearce" <[email protected]>
| References: <#[email protected]>
<#HAV#[email protected]>
<#[email protected]>
<7Nh#[email protected]>
| Subject: Re: ADSI Account Lockout
| Date: Sat, 25 Oct 2003 18:14:07 +0100
| Lines: 145
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.dotnet.languages.csharp
| NNTP-Posting-Host: host213-122-67-95.in-addr.btopenworld.com 213.122.67.95
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.languages.csharp:194030
| X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
|
| In the example for enable or disable the account it has this:
|
| int val = (int) usr.Properties["userAccountControl"].Value;
| usr.Properties["userAccountControl"].Value = val | ADS_UF_ACCOUNTDISABLE;
|
| and
|
| int val = (int) usr.Properties["userAccountControl"].Value;
| usr.Properties["userAccountControl"].Value = val & ~ADS_UF_ACCOUNTDISABLE;
|
| What is happening with the "val | ADS_UF_ACCOUNTDISABLE" and "val &
| ~ADS_UF_ACCOUNTDISABLE"?
|
|
|
| | >
| > Hi Arran,
| >
| > If you still have anything unclear, please feel free to tell me.
| > Have a nice weekand.
| >
| > Best regards,
| > Jeffrey Tan
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| > This posting is provided "as is" with no warranties and confers no
rights.
| >
| > --------------------
| > | From: "Arran Pearce" <[email protected]>
| > | References: <#[email protected]>
| > <#HAV#[email protected]>
| > | Subject: Re: ADSI Account Lockout
| > | Date: Fri, 24 Oct 2003 19:12:12 +0100
| > | Lines: 81
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | Message-ID: <#[email protected]>
| > | Newsgroups: microsoft.public.dotnet.languages.csharp
| > | NNTP-Posting-Host: host213-122-88-5.in-addr.btopenworld.com
213.122.88.5
| > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| > | Xref: cpmsftngxa06.phx.gbl
| microsoft.public.dotnet.languages.csharp:193875
| > | X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
| > |
| > | Thanks for all your help.
| > |
| > |
| > | | > | >
| > | > Hi Arran,
| > | >
| > | > Just as Peter said, you should use the userAccountControl property.
| > | > For Lockout and Disabled acount, you should refer to ADS_UF_LOCKOUT
| and
| > | > ADS_UF_ACCOUNTDISABLE flag which are defined in ADS_USER_FLAG_ENUM
| enum.
| > | > Please refer to ADS_USER_FLAG_ENUM enum at the link below:
| > | >
| > |
| >
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi
| > | > /ads_user_flag_enum.asp
| > | >
| > | > You also can find a small sample of how to enable and disable a user
| > | acount:
| > | >
| > |
| >
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/netd
| > | > s/enabling_and_disabling_the_user_account.asp
| > | >
| > | > If you still have any questions, please feel free to let me know.
| > | >
| > | > Best regards,
| > | > Jeffrey Tan
| > | > Microsoft Online Partner Support
| > | > Get Secure! - www.microsoft.com/security
| > | > This posting is provided "as is" with no warranties and confers no
| > rights.
| > | >
| > | > --------------------
| > | > | From: "Arran Pearce" <[email protected]>
| > | > | Subject: ADSI Account Lockout
| > | > | Date: Thu, 23 Oct 2003 19:58:59 +0100
| > | > | Lines: 23
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | > | Message-ID: <#[email protected]>
| > | > | Newsgroups: microsoft.public.dotnet.languages.csharp
| > | > | NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworld.com
| > | > 213.122.124.127
| > | > | Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| > | > | Xref: cpmsftngxa06.phx.gbl
| > | microsoft.public.dotnet.languages.csharp:193614
| > | > | X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
| > | > |
| > | > | Hi,
| > | > |
| > | > | I am looking for a way to use System.DirectoryServices to find all
| > users
| > | > on
| > | > | a domain whos accounts are either locked out or disabled. I have
| used
| > | > | ADSIEdit and the mmc schema add-in to try and find properties for
| > these
| > | > | things but have not had any luck so far. Also i did a search on
the
| > | > | Platform SDK doc's. It has examples in VB and C++ but these are
not
| > | using
| > | > | DotNet and dont give any hint to a property that may be used.
They
| > seem
| > | > to
| > | > | call a method directly on a object, and i am sure that method is
not
| > | > | available as part of a DirectoryEntry class.
| > | > |
| > | > | I have a feeling i may need to do a Invoke (as you do when you
reset
| a
| > | > users
| > | > | password from DotNet) if i do have to do this then how can i do a
| > | search
| > | > of
| > | > | all users in a domain?
| > | > |
| > | > | I would also like to be able to Enable or Disable a account from
my
| > | > | application (This is Account Lockout and Account Disabled).
| > | > |
| > | > | thanks for any help anyone can offer.
| > | > |
| > | > | Arran
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| >
|
|
|
 
(e-mail address removed) ("Jeffrey Tan[MSFT]") wrote in
In .Net, when you use DirectoryEntry to disable AccountExpires, I
think you can just set its value to -1, no need to convert -1 to
DateTime object. Because, the Value of PropertyValueCollection is just
a object.

Something like this:
DirectoryEntry usr = new DirectoryEntry("LDAP://CN=Jeff smith,
OU=Sales, DC=Fabrikam, DC=Com")
DateTime dt = (DateTime) usr.Properties["AccountExpires"].Value;
usr.Properties["AccountExpires"].Value = -1;
usr.CommitChanges();

Anything wrong with doing this?
Click to expand...

Yes, there is a lot wrong with this:

1) .NET can't convert -1 to DateTime. There is no suitable conversion.
2) DirectoryServices is implemented as a RCW on top of the ADSI, In the
warpper it tests for types. I can'T assign a value of -1 to a DateTime
Property.

Only way I could achieve this behaviour as calling the ADSI Interfaces
directly.

I think there are a few serious design flaws in the DirectoryServices
object model. And it is very unconvinient that there is absolut no
working .NET equivalent for ADSI stuff like IUser, IComputer.

Now with win2k3 it would be the time to bring a truly managed AD
interface, don't you think so?


--
------ooo---OOO---ooo------

Peter Koen - www.kema.at
MCAD CAI/RS CASE/RS IAT

------ooo---OOO---ooo------
 
yeah i think i get it.

will give it a try asap.

again many thanks for your help.

"Jeffrey Tan[MSFT]" said:
Hi Arran,

~, |, & are the bitwise operators of C# language.
You can find ADS_UF_ACCOUNTDISABLEa in ADS_USER_FLAG_ENUM:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi
/ads_user_flag_enum.asp
that ADS_UF_ACCOUNTDISABLE= 0x0002;

0x0002's binary expression is 0000,0000,0000,0010, so ~0x0002 is
1111,1111,1111,1101.
val & ~ADS_UF_ACCOUNTDISABLE equals val&1111,1111,1111,1101 which makes all
the other bits stay the same value as before, only the second bit becomes 0.
Then, when invoke CommitChanges(), .Net Framework will check second bit of
userAccountControl property, and 0 means enable.

Alike, val | ADS_UF_ACCOUNTDISABLE equals valu| 0000,0000,0000,0010 which
makes all bits stay the same, second bit becomes 1.
This makes diable the user account.

Hope I explain clear.
If you still have any unclear, please feel free to tell me.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| From: "Arran Pearce" <[email protected]>
| References: <#[email protected]>
<#HAV#[email protected]>
<#[email protected]>
<7Nh#[email protected]>
| Subject: Re: ADSI Account Lockout
| Date: Sat, 25 Oct 2003 18:14:07 +0100
| Lines: 145
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.dotnet.languages.csharp
| NNTP-Posting-Host: host213-122-67-95.in-addr.btopenworld.com 213.122.67.95
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.languages.csharp:194030
| X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
|
| In the example for enable or disable the account it has this:
|
| int val = (int) usr.Properties["userAccountControl"].Value;
| usr.Properties["userAccountControl"].Value = val | ADS_UF_ACCOUNTDISABLE;
|
| and
|
| int val = (int) usr.Properties["userAccountControl"].Value;
| usr.Properties["userAccountControl"].Value = val & ~ADS_UF_ACCOUNTDISABLE;
|
| What is happening with the "val | ADS_UF_ACCOUNTDISABLE" and "val &
| ~ADS_UF_ACCOUNTDISABLE"?
|
|
|
| | >
| > Hi Arran,
| >
| > If you still have anything unclear, please feel free to tell me.
| > Have a nice weekand.
| >
| > Best regards,
| > Jeffrey Tan
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| > This posting is provided "as is" with no warranties and confers no
rights.
| >
| > --------------------
| > | From: "Arran Pearce" <[email protected]>
| > | References: <#[email protected]>
| > <#HAV#[email protected]>
| > | Subject: Re: ADSI Account Lockout
| > | Date: Fri, 24 Oct 2003 19:12:12 +0100
| > | Lines: 81
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | Message-ID: <#[email protected]>
| > | Newsgroups: microsoft.public.dotnet.languages.csharp
| > | NNTP-Posting-Host: host213-122-88-5.in-addr.btopenworld.com
213.122.88.5
| > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| > | Xref: cpmsftngxa06.phx.gbl
| microsoft.public.dotnet.languages.csharp:193875
| > | X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
| > |
| > | Thanks for all your help.
| > |
| > |
| > | | > | >
| > | > Hi Arran,
| > | >
| > | > Just as Peter said, you should use the userAccountControl property.
| > | > For Lockout and Disabled acount, you should refer to ADS_UF_LOCKOUT
| and
| > | > ADS_UF_ACCOUNTDISABLE flag which are defined in ADS_USER_FLAG_ENUM
| enum.
| > | > Please refer to ADS_USER_FLAG_ENUM enum at the link below:
| > | >
| > |
| >
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi
| > | > /ads_user_flag_enum.asp
| > | >
| > | > You also can find a small sample of how to enable and disable a user
| > | acount:
| > | >
| > |
| >
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/netd
| > | > s/enabling_and_disabling_the_user_account.asp
| > | >
| > | > If you still have any questions, please feel free to let me know.
| > | >
| > | > Best regards,
| > | > Jeffrey Tan
| > | > Microsoft Online Partner Support
| > | > Get Secure! - www.microsoft.com/security
| > | > This posting is provided "as is" with no warranties and confers no
| > rights.
| > | >
| > | > --------------------
| > | > | From: "Arran Pearce" <[email protected]>
| > | > | Subject: ADSI Account Lockout
| > | > | Date: Thu, 23 Oct 2003 19:58:59 +0100
| > | > | Lines: 23
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | > | Message-ID: <#[email protected]>
| > | > | Newsgroups: microsoft.public.dotnet.languages.csharp
| > | > | NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworld.com
| > | > 213.122.124.127
| > | > | Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| > | > | Xref: cpmsftngxa06.phx.gbl
| > | microsoft.public.dotnet.languages.csharp:193614
| > | > | X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
| > | > |
| > | > | Hi,
| > | > |
| > | > | I am looking for a way to use System.DirectoryServices to find all
| > users
| > | > on
| > | > | a domain whos accounts are either locked out or disabled. I have
| used
| > | > | ADSIEdit and the mmc schema add-in to try and find properties for
| > these
| > | > | things but have not had any luck so far. Also i did a search on
the
| > | > | Platform SDK doc's. It has examples in VB and C++ but these are
not
| > | using
| > | > | DotNet and dont give any hint to a property that may be used.
They
| > seem
| > | > to
| > | > | call a method directly on a object, and i am sure that method is
not
| > | > | available as part of a DirectoryEntry class.
| > | > |
| > | > | I have a feeling i may need to do a Invoke (as you do when you
reset
| a
| > | > users
| > | > | password from DotNet) if i do have to do this then how can i do a
| > | search
| > | > of
| > | > | all users in a domain?
| > | > |
| > | > | I would also like to be able to Enable or Disable a account from
my
| > | > | application (This is Account Lockout and Account Disabled).
| > | > |
| > | > | thanks for any help anyone can offer.
| > | > |
| > | > | Arran
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| >
|
|
|
Click to expand...
 
Jeffrey,
Anything wrong with doing this?
Click to expand...
Yes,
- usr.Properties["AccountExpires"].Value doesn't contain a DateTime reference but a COM interface pointer to a Largeinteger object
(two 32 bit entities).
- the Lagerinteger value returned contains a date in Fileformat not DateTime format, so you need to convert it.
- (-1) is indeed an invalid DateTime value but it's not invalid as FileTime value, so you need to take care when reading the
property and only convert to DateTime when it contains a valid DateTime date.
Herewith is a sample how to set the "account never expires" property, it also shows you how to display adate from this property.
Willy.




using System;
using System.DirectoryServices;
using System.Runtime.InteropServices;
using activedsnet;
class Tester
{
public static void Main()
{
LargeInteger li;
DirectoryEntry userAccount;
using(userAccount = new DirectoryEntry("LDAP://Somehost/CN=Users,DC=xxx,DC=yyy,DC=zzz")) {
DirectorySearcher mySearcher = new DirectorySearcher(userAccount);
mySearcher.Filter = "(samAccountName=denoyette)";
mySearcher.PropertiesToLoad.Add("samAccountName");
mySearcher.PropertiesToLoad.Add("accountExpires");
SearchResult myResult;
myResult = mySearcher.FindOne();
userAccount = new DirectoryEntry(myResult.Path);
PropertyCollection pcoll = userAccount.Properties;
// PropertyValueCollection cointains a COM interface pointer (ILargeInteger)
if(Marshal.IsComObject(pcoll["accountExpires"].Value))
Console.WriteLine("\t " + pcoll["accountExpires"].Value);
// Cast it to the right Type
li = pcoll["accountExpires"].Value as LargeInteger;
long date = (((long)(li.HighPart) << 32) + (long) li.LowPart);
if((li.HighPart == -1) && (li.LowPart == -1)) {
Console.WriteLine("Account never expires");
}
else {
// Valid date convert to DateTime format
// Note that this date is one later than the date displayd in the Directory Users and Computers MMC
string dt = DateTime.FromFileTime(date).ToString();
Console.WriteLine("DATE = {0:D}" ,dt);
}

// Now set "account never expires"
li.HighPart = -1;
li.LowPart = -1;
pcoll["accountExpires"].Value = li;
userAccount.CommitChanges();
}
Marshal.ReleaseComObject(li);
}
}
// Use tlbimp to create the IA activedsnet.dll (or whatever name you choose) from activeds.tlb
// Compile with : csc /r:activedsnet.dll ad3c.cs

Willy.

"Jeffrey Tan[MSFT]" said:
Hi Peter,

In .Net, when you use DirectoryEntry to disable AccountExpires, I think you
can just set its value to -1, no need to convert -1 to DateTime object.
Because, the Value of PropertyValueCollection is just a object.

Something like this:
DirectoryEntry usr = new DirectoryEntry("LDAP://CN=Jeff smith, OU=Sales,
DC=Fabrikam, DC=Com")
DateTime dt = (DateTime) usr.Properties["AccountExpires"].Value;
usr.Properties["AccountExpires"].Value = -1;
usr.CommitChanges();

Anything wrong with doing this?

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| Subject: Re: ADSI Account Lockout
| From: Peter Koen <koen-newsreply&snusnu.at>
| References: <#[email protected]>
<#HAV#[email protected]>
<#[email protected]>
<7Nh#[email protected]>
| Organization: Koen Electronic Media Agency
| User-Agent: Xnews/5.04.25
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.languages.csharp
| Date: Sat, 25 Oct 2003 10:29:54 -0700
| NNTP-Posting-Host: ist.doch.alles.nur.belangloses.blablabla.at
212.24.113.98
| Lines: 1
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.languages.csharp:194035
| X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
|
| (e-mail address removed) ("Jeffrey Tan[MSFT]") wrote in
| |
| Hi Jeffrey,
|
| > If you still have anything unclear, please feel free to tell me.
| > Have a nice weekand.
|
| Although I've already worked a lot with DirectyServices I'd have a
question
| about AccountExpiration.
|
| In the Platform SDK I've learned that AccountExpires is disabled if it
has
| the value of -1 or a DateTime value if enabled. That's fine with C++. But
| with directoryServices I get a DateTime property and I can't set the
value
| to -1.
|
| How can I disable AccountExpires without falling back to unmanaged code
or
| COMInterop, P/Invoke calls?
|
| --
| best regards
|
| Peter Koen
| -----------------------------------
| MCAD, CAI/R, CAI/S, CASE/RS, CAT/RS
| http://www.kema.at
|
Click to expand...
 
Thanks Willy!
That perfectly sorts out my problem with the accountExpires property!


--
------ooo---OOO---ooo------

Peter Koen - www.kema.at
MCAD CAI/RS CASE/RS IAT

------ooo---OOO---ooo------
 
The enabling and disabling are working fine. However i am still having a
problem doing a search for all accounts that are disabled.

If i do a DirectoryEntry search with the following filter should it work?

"(&((objectClass=user)(userAccountControl="+AccountLockType.ACCOUNTDISABLE+"
)))"

AccountLockType.ACCOUNTDISABLE is a enum in my program which has a value of
0X0002
 
Hi Arran,

I think you can refer to DirectorySearcher class, and use like this:
DirectorySearcher Searcher;
Searcher.Filter
="(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2))";
There is a sample in:
http://groups.yahoo.com/group/ADSIANDDirectoryServices/message/531

Beside, you can find more information about Searching Active Directory in:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/s
pecifying_other_search_options.asp
(Especially "Creating a Query Filter" section)

Hope this helps,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| From: "Arran Pearce" <[email protected]>
| References: <#[email protected]>
<#HAV#[email protected]>
<#[email protected]>
<7Nh#[email protected]>
<#[email protected]>
<[email protected]>
<[email protected]>
| Subject: Re: ADSI Account Lockout
| Date: Tue, 28 Oct 2003 10:51:11 -0000
| Lines: 12
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.languages.csharp
| NNTP-Posting-Host: host213-122-172-68.in-addr.btopenworld.com
213.122.172.68
| Path:
cpmsftngxa06.phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.
phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.languages.csharp:194643
| X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
|
| The enabling and disabling are working fine. However i am still having a
| problem doing a search for all accounts that are disabled.
|
| If i do a DirectoryEntry search with the following filter should it work?
|
|
"(&((objectClass=user)(userAccountControl="+AccountLockType.ACCOUNTDISABLE+"
| )))"
|
| AccountLockType.ACCOUNTDISABLE is a enum in my program which has a value
of
| 0X0002
|
|
|
 
Back
Top