Can some post the way to know if a particular user is a deactivated user in the windows ad ?
+2
A:
You need to query the userAccountControl property.
Values for userAccountControl flags are:
CONST HEX
-------------------------------
SCRIPT 0x0001
ACCOUNTDISABLE 0x0002
HOMEDIR_REQUIRED 0x0008
LOCKOUT 0x0010
PASSWD_NOTREQD 0x0020
PASSWD_CANT_CHANGE 0x0040
ENCRYPTED_TEXT_PWD_ALLOWED 0x0080
TEMP_DUPLICATE_ACCOUNT 0x0100
NORMAL_ACCOUNT 0x0200
INTERDOMAIN_TRUST_ACCOUNT 0x0800
WORKSTATION_TRUST_ACCOUNT 0x1000
SERVER_TRUST_ACCOUNT 0x2000
DONT_EXPIRE_PASSWORD 0x10000
MNS_LOGON_ACCOUNT 0x20000
SMARTCARD_REQUIRED 0x40000
TRUSTED_FOR_DELEGATION 0x80000
NOT_DELEGATED 0x100000
USE_DES_KEY_ONLY 0x200000
DONT_REQ_PREAUTH 0x400000
PASSWORD_EXPIRED 0x800000
TRUSTED_TO_AUTH_FOR_DELEGATION 0x1000000
You would need to work with the System.DirectoryServices namespace and use the DirectorySearcher class in order to query the Active Directory, then verify for the userAccountControl flag property.
A good page I guess you should consult is the following:
How to (almost) everything in Active Directory in C#.
You'll have to go bitwise when comparing against the userAccountControl flags property such as follows:
using (DirectorySearcher searcher = new DirectorySearcher()) {
searcher.SearchRoot = new DirectoryEntry(rootDSE); // Where rootDSE is a string which contains your LDAP path to your domain.
searcher.SearchScope = SearchScope.Subtree;
searcher.Filter = string.Format("(&(objectClass=user)(sAMAccountName={0}))", userName);
SearchResult result = null;
try {
result = searcher.FindOne();
} catch (Exception) {
// You know what to do here... =P
}
if (result == null)
return;
DirectoryEntry user = result.GetDirectoryEntry();
bool isAccountDisabled = ((user.Properties("userAccountControl").Value & ACCOUNTDISABLE) == ACCOUNTDISABLE);
}
Did this help anyhow?
Will Marcouiller
2010-06-14 13:09:57
@David Neale: How is it stolen? I referenced where I got the information. Plus, there's always MSDN over there. I have worked and still do with Active Directory lately. I don't get what you're saying here.
Will Marcouiller
2010-06-14 13:27:11
It was initially because your answer had been edited and then directly resembled mine. You've now taken the time to compile a good comprehensive answer so I retract it. :)
David Neale
2010-06-14 14:13:47
@David Neale: Thanks for this kind explanation. I do so because when typing the entire answer, it is too long for the OP to get his answer. I then come in with a short but direct answer, then I edit it afterward to bring more comprehensive details, etc. Many people do so, so that they keep the "first to answer" rank, if you see what I mean. Anyway, you got a very good answer that I shall upvote. =)
Will Marcouiller
2010-06-14 14:43:11
+2
A:
Here's a good link for AD operations Howto: (Almost) Everything In Active Directory via C#
You need to query the userAccountControl property, it's a bitwise flag and I believe it's 514 for a disabled account but the values are cumulative so you'd need to work it out. (NORMAL ACCOUNT + ACCOUNT DISABLED = 512 + 2 = 514).
Here's the reference for all of the User Account Control flags.
David Neale
2010-06-14 13:12:23
+1 Thanks for your kind explanation given in comment to my answer. We both have a good answer. =)
Will Marcouiller
2010-06-14 14:44:19
+3
A:
If you're on .NET 3.5 or can upgrade to .NET 3.5 - have a look at the new System.DirectoryServices.AccountManagement namespace which makes lots of these operations a breeze. See Managing Directory Security Principals in the .NET Framework 3.5 for an intro.
In your case, you could write your code something like this:
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "YOURDOMAIN")
UserPrincipal user = UserPrincipal.FindByIdentity("somename");
bool locked = user.IsAccountLockedOut();
That's all there is! Most of those everyday operations on users and groups have been vastly improved with .NET 3.5 - use those new capabilities!
marc_s
2010-06-14 16:08:26