[英]Find all locked users in AD using c#
The code listed below works fine for me however i would like a list of all users that are locked as opposed to specifying a particular user, can some one help me broaden the scope of this code please 下面列出的代码对我来说很好但是我想要一个锁定而不是指定特定用户的所有用户的列表,可以帮助我拓宽这个代码的范围
using (var context = new PrincipalContext( ContextType.Domain ))
{
using (var user = UserPrincipal.FindByIdentity( context,
IdentityType.SamAccountName,
name ))
{
if (user.IsAccountLockedOut())
{
... your code here...
}
}
}
The code listed above works fine for me however i would like a list of all users that are locked as opposed to specifying a particular user. 上面列出的代码对我来说很好,但我希望锁定所有用户的列表,而不是指定特定用户。
Here is what ended up working - Thanks to all contributors. 这是最终工作 - 感谢所有贡献者。
when a user is locked they dont go to "not locked" until they log in (when refferencing the lockedout clause in a ldap search); 当用户被锁定时,他们不会在他们登录之前进入“未锁定”(当在ldap搜索中引用lockedout子句时); so... Using the locked out qry Gives you a broad list of locked out users which you can then narrow down with the isaccountlockedout() method. 所以...使用锁定的qry为您提供一个广泛的锁定用户列表,然后您可以使用isaccountlockedout()方法缩小范围。 Regards! 问候!
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.DirectoryServices;
using System.DirectoryServices.ActiveDirectory;
using System.DirectoryServices.AccountManagement;
namespace ConsoleApplication5
{
class Lockout : IDisposable
{
DirectoryContext context;
DirectoryEntry root;
public Lockout()
{
string domainName = "domain.com";
this.context = new DirectoryContext(
DirectoryContextType.Domain,
domainName
);
//get our current domain policy
Domain domain = Domain.GetDomain(this.context);
this.root = domain.GetDirectoryEntry();
}
public void FindLockedAccounts()
{
string qry = " (&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295)(!UserAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)))) ";
DirectorySearcher ds = new DirectorySearcher(
this.root,
qry
);
using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
using (var context = new PrincipalContext( ContextType.Domain ))
{
string name = sr.Properties["SamAccountName"][0].ToString();
using (var user = UserPrincipal.FindByIdentity( context,
IdentityType.SamAccountName,
name ))
{
if (user.IsAccountLockedOut())
{
Console.WriteLine("{0} is locked out", sr.Properties["name"][0]);
}
}
}
}
}
}
public void Dispose()
{
if (this.root != null)
{
this.root.Dispose();
}
}
}
}
Edit: Misread question. 编辑:误读问题。 Updated answer 更新的答案
Try it now 现在就试试
Why not just: 为什么不呢:
var lockedUsers = new List<UserPrincipal>();
using (var context = new PrincipalContext(ContextType.Domain))
{
GroupPrincipal grp = GroupPrincipal.FindByIdentity(context, IdentityType.SamAccountName, "Domain Users");
foreach (var userPrincipal in grp.GetMembers(false))
{
var user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, userPrincipal.UserPrincipalName);
if (user != null)
{
if (user.IsAccountLockedOut())
{
lockedUsers.Add(user);
}
}
}
}
//Deal with list here
You can use the lockoutTime
attribute, but, it's not necessarily trivial. 您可以使用lockoutTime
属性,但是,它不一定是微不足道的。 The attribute has the time the user was locked out at. 该属性具有用户被锁定的时间。 So, if your domain has a single lockout policy, you can do a search for everyone whose lockoutTime
value is greater than or equal to (UTC Now - Lockout Duration). 因此,如果您的域具有单个锁定策略,则可以搜索lockoutTime
值大于或等于(UTC现在 - 锁定持续时间)的所有人。
If you have multiple lockout policies via fine grained password policies, then this is not so easy since you need to calculate it on a per user basis. 如果您通过细粒度密码策略有多个锁定策略,那么这不是那么容易,因为您需要基于每个用户计算它。
If your domain has a permanent lockout (eg you must request an account unlock), you can search on greater than zero. 如果您的域具有永久锁定(例如,您必须请求解锁帐户),则可以搜索大于零。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.