What is the prefered way to lock an Active Directory account?
int val = (int)directoryentry.Properties["userAccountControl"].Value;
directoryentry.Properties["userAccountControl"].Value = val | 0x0010;
vs.
directoryentry.InvokeSet("IsAccountLocked", true);
Is there a better way?
In fact, you have to perform a bitwise operation to set the correct bit to the appropriate value. In the link below, you will encounter with the User Account Control Flags. So, you only have to perform the appropriate logical operation against the property to either lock or unlock the account.
The following link will interest you, I guess.
How to (almost) everything in AD
I shall add a sample code C# code later on.
Here's the code suggested:
public class AdUser {
private int _userAccountControl
public bool IsLocked {
get {
return _userAccountControl & UserAccountControls.Lock
} set {
if(value)
_userAccountControl = _userAccountControl | UserAccountControls.Lock
else
_userAccountControl = _userAccountControl & UserAccountControls.Lock
}
}
public enum UserAccountControls {
Lock = 0x10
}
}
Please consider perhaps having some changes to make to this code, as I haven't tested it. But your code should like alike or something close to it as for locking and unlocking the user account. Sooner or later, you will have to go with the DirectoryEntry.Properties[] to set it to the value in your object class.
EDIT
What is the prefered way to lock an Active Directory account?
int val = (int)directoryentry.Properties["userAccountControl"].Value; directoryentry.Properties["userAccountControl"].Value = val | 0x0010;vs.
directoryentry.InvokeSet("IsAccountLocked", true);
In response to your question I put in my edit, I would say that these are the simplest way, at least that I know. I prefer, as far as I'm concern, to wrap those features like I approximately did in my code sample, so the other programmers have not to care about the bitwise operations and so forth. For them, they're manipulating objects.
As for the best way between these two, I guess it mostly a matter of preference. If you're at ease with logical operations, these are normally the prefered. By comparison though, the second choice is simpler to play with.
Are you on .NET 3.5 (or can you upgrade to it)??
If so, check out the new System.DirectoryServices.AccountManagement namespace and all it has to offer! Excellent intro is the MSDN article Managing Directory Security Principals in the .NET Framework 3.5.
For your case, you'd have to get hold of a UserPrincipal some way, e.g.
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "YOURDOMAIN");
UserPrincipal me = UserPrincipal.Current;
and then you have access to a plethora of really easy to use properties - e.g.:
bool isLockedOut = me.IsAccountLockedOut;
and you can set that flag, too:
me.IsAccountLockedOut = false;
MUCH easier than the plain old System.DirectoryServices stuff!