How do you check if a computer account is disabled in Active Directory using C#/.NET
views:
3877answers:
4Try this entry:
http://www.codeproject.com/KB/system/everythingInAD.aspx#42
You will want to examine the User Account Control flags.
Try this:
class Program
{
static void Main(string[] args)
{
const string ldap = "LDAP://your-ldap-server-here";
using (DirectoryEntry conn = new DirectoryEntry(ldap))
{
using (DirectorySearcher searcher = new DirectorySearcher(conn))
{
searcher.Filter = "(|(samAccountName=userA)(samAccountName=userB))";
searcher.PropertiesToLoad.Add("samAccountName");
searcher.PropertiesToLoad.Add("userAccountControl");
using (SearchResultCollection results = searcher.FindAll())
{
foreach (SearchResult result in results)
{
int userAccountControl = Convert.ToInt32(result.Properties["userAccountControl"][0]);
string samAccountName = Convert.ToString(result.Properties["samAccountName"][0]);
bool disabled = ((userAccountControl & 2) > 0);
Console.WriteLine("{0} ({1:x}) :: {2}", samAccountName, userAccountControl, disabled);
}
}
}
}
Console.ReadLine();
}
}
The second bit of userAccountControl
will be 1 if the account is disabled.
Without checking bits, adding:
(userAccountControl:1.2.840.113556.1.4.803:=2)
to your filter should return only disabled users. Of course,
(!userAccountControl:1.2.840.113556.1.4.803:=2)
will ensure that users are not disabled if you'd prefer to go that route.
If you are using .NET 3.5, you can use the new System.DirectoryServices.AccountManagment namespace methods to much more easily access Active Directory. The UserPrincipal object has an Enabled property that gives you what you are looking for.
There is a good overview of these routines in the January 2008 MSDN Magazine. You can read the article online here: Managing Directory Security Principals in the .NET Framework 3.5