tags:

views:

258

answers:

2
Q: 

Need to determine if a user in ActiveDirectory is still valid/active.

I have a .NET MVC (1.0) application that is using the ActiveDirectoryMembershipProvider to authenticate users, and this is working fine as is. After a successful authentication, I am creating a custom profile in SQL for that user (AD username, email, etc).

In one part of the application I am sending email alerts to users, and I am looping though users from the local SQL table that holds the AD UserName, mentioned above. Prior to sending the alert, I would like to verify that the user we are sending to is still a valid (i.e. active) user in AD. How can I check this without the password of the current user in my loop?

I was hoping to do soemthing like this...

MembershipUser adUser= Membership.GetUser(userName); //I have the username from the loop
bool isValid = adUser.isValid; //I know this is not a real property

I know that there is no such property called "isValid" -- but does anyone know what property I should use? If MembershipUser is of no use, then I assume that I need to write some code invoking the System.DirectoryServices.ActiveDirectory namespace? If so, what property should I be checking in AD to see if the user is valid? And by "valid," I mean that the user still works for the company in question, and is able to sign-in via AD. I am not concerned with the user's group membership in AD.

Thanks,

Mike

+2  A: 

You basically need to check the user's userAccountControl flag for the disabled flag.

Once you have your DirectoryEntry for the user in question (userAccount), you can check for account disabled and account locked out like this:

// get the "userAccountControl" property
int uac = Convert.ToInt32(userAccount.Properties["userAccountControl"][0]);

const int ADS_UF_ACCOUNTDISABLE = 0x00000002;
const int ADS_UF_LOCKOUT = 0x00000010;

bool accountIsDisabled = (uac & ADS_UF_ACCOUNTDISABLE) == ADS_UF_ACCOUNTDISABLE;
bool accountIsLockedOut = (uac & ADS_UF_LOCKOUT) == ADS_UF_LOCKOUT;

Marc

marc_s  2009-06-01 20:21:20
A: 

If you query the user attributes/properties in AD, the userAccountControl property will be 514 if the account is locked out or 512 if it is ready for login.

Took to long to post my response. The post by Marc is actually more detailed, and I will upvote it.

Jonathan Kehayias  2009-06-01 20:29:22

related questions

Querying Active Directory with "SQL"?
Can I get more than 1000 records from a DirectorySearcher in Asp.Net?
How to get AD User Groups for user in Asp.Net?
Attempting to update a user's "connect to:" home directory path in AD using C#
Monitoring group membership in Active Directory more efficiently (C# .NET)
How do I speed up data retrieval from .NET AD within ColdFusion
How do you authenticate against an Active Directory server using Spring Security?
Managing large user databases for single-signon.
Move Active Directory Group to Another OU using Powershell
How to move SharePoint sites from one active directory domain to another?
When did I last talk to my Domain Server?
Using ActiveDirectoryMembershipProvider with two domain controllers
I am having trouble getting phpBB to authenticate with our Active Directory
How do I use ADAM to run unit tests?
COMException "Library not registered." while using System.DirectoryServices
Caching Active Directory Data
Windows / Active Directory - User / Groups
Get a list of available domains (NT4 and Active Directory)
How do I use NTLM authentication with Active Directory
I/O permission settings using .net installer
quoting System.DirectoryServices.ResultPropertyCollection
How do you impersonate an Active Directory user in Powershell?
Setting Group Type for new Active Directory Entry in VB.NET
Is there a way for MS Access to grab the current Active Directory user?
Checklist for IIS 6/ASP.NET Windows Authentication?