查询用户是否在Active Directory中选中了“无法更改密码”
[英]Query if user has “Cannot change password” checked in Active Directory
问题描述
I'm trying to check this information for an app i'm developing... 
我正在尝试为正在开发的应用检查此信息...
I'm trying to query userAccountControl, but I've figured out AD doesn't update this correctly if it's set. 我正在尝试查询userAccountControl,但是我发现如果设置了AD,它将无法正确更新。
This is how I currently search UserAccountControl 这是我当前搜索UserAccountControl的方式
If (res.Properties.Contains("userAccountControl")) Then
userAccountControl = doespasswordexpire(res.Properties("userAccountControl").Item(0))
userAccountControlPNR = PasswordNotRequired(res.Properties("userAccountControl").Item(0))
userAccountControlSCR = SmartCardRequired(res.Properties("userAccountControl").Item(0))
Else
userAccountControl = ""
userAccountControlPNR = ""
userAccountControlSCR = ""
End If
How would I do this in ADSI or LDAP? 如何在ADSI或LDAP中执行此操作? I do not want to use PrincipalContext. 我不想使用PrincipalContext。
1 个解决方案
解决方案1
2 已采纳 2016-07-08 21:28:16
You cannot use the userAccountControl attribute to modify, or even query, the "cannot change password" setting. 您不能使用userAccountControl属性来修改甚至查询“无法更改密码”设置。 It's listed in the Microsoft's documentation as a possible flag, but it doesn't work (not sure if it was ever intended to?). 它在Microsoft文档中被列为可能的标记,但是它不起作用(不确定是否曾经打算这样做)。
To check if that is set you have to parse out the user's ACEs in their DACL. 要检查是否已设置,您必须在用户的DACL中解析出用户的ACE。 You can get that from the ntSecurityDescriptor attribute of the user and programmatically parse it. 您可以从用户的ntSecurityDescriptor属性中获取该信息,并以编程方式对其进行解析。 There's a good starting example of that in this thread . 在该线程中有一个很好的起始示例。
Some additional MSDN info here: https://msdn.microsoft.com/en-us/library/aa746398.aspx 一些其他的MSDN信息在这里: https : //msdn.microsoft.com/en-us/library/aa746398.aspx
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.