Active Directoy LDAP - 锁定用户帐户
[英]Active Directoy LDAP - Lock User Account
问题描述
What is the prefered way to lock an Active Directory account? 
锁定Active Directory帐户的首选方法是什么?
int val = (int)directoryentry.Properties["userAccountControl"].Value;
directoryentry.Properties["userAccountControl"].Value = val | 0x0010;
vs. 与
directoryentry.InvokeSet("IsAccountLocked", true);
Is there a better way? 有没有更好的办法?
2 个解决方案
解决方案1
1 2010-05-04 19:32:53
In fact, you have to perform a bitwise operation to set the correct bit to the appropriate value. 实际上,您必须执行按位操作才能将正确的位设置为适当的值。 In the link below, you will encounter with the User Account Control Flags. 在下面的链接中,您将遇到用户帐户控制标志。 So, you only have to perform the appropriate logical operation against the property to either lock or unlock the account. 因此,您只需对该属性执行适当的逻辑操作即可锁定或解锁该帐户。
The following link will interest you, I guess. 我想,以下链接会引起您的兴趣。
How to (almost) everything in AD 如何(几乎)AD中的一切
I shall add a sample code C# code later on. 我稍后会添加一个示例代码C#代码。
Here's the code suggested: 这是建议的代码:
public class AdUser {
private int _userAccountControl
public bool IsLocked {
get {
return _userAccountControl & UserAccountControls.Lock
} set {
if(value)
_userAccountControl = _userAccountControl | UserAccountControls.Lock
else
// Must reverse all the bits in the filter when performing an And operation
_userAccountControl = _userAccountControl & ~UserAccountControls.Lock
}
}
public enum UserAccountControls {
Lock = 0x10
}
}
Please consider perhaps having some changes to make to this code, as I haven't tested it. 请考虑对此代码进行一些更改,因为我还没有测试过。 But your code should like alike or something close to it as for locking and unlocking the user account. 但是您的代码应该与锁定和解锁用户帐户相似或类似。 Sooner or later, you will have to go with the DirectoryEntry.Properties[] to set it to the value in your object class. 迟早,您必须使用DirectoryEntry.Properties []将其设置为对象类中的值。
EDIT 编辑
What is the prefered way to lock an Active Directory account?
int val = (int)directoryentry.Properties["userAccountControl"].Value; directoryentry.Properties["userAccountControl"].Value = val | 0x0010;vs.
directoryentry.InvokeSet("IsAccountLocked", true);
In response to your question I put in my edit, I would say that these are the simplest way, at least that I know. 在回答你提出的问题时,我会说这些是最简单的方法,至少我知道。 I prefer, as far as I'm concern, to wrap those features like I approximately did in my code sample, so the other programmers have not to care about the bitwise operations and so forth. 就我而言,我更喜欢将这些功能包装在我的代码示例中,因为其他程序员不必关心按位操作等等。 For them, they're manipulating objects. 对他们来说,他们正在操纵物体。
As for the best way between these two, I guess it mostly a matter of preference. 至于这两者之间的最佳方式,我想这主要是一个偏好问题。 If you're at ease with logical operations, these are normally the prefered. 如果您对逻辑操作感到放心,这些通常是首选。 By comparison though, the second choice is simpler to play with. 相比之下,第二种选择更容易使用。
解决方案2
1 已采纳 2010-05-04 21:26:43
Are you on .NET 3.5 (or can you upgrade to it)?? 你是在.NET 3.5(或者你可以升级到它)?
If so, check out the new System.DirectoryServices.AccountManagement namespace and all it has to offer! 如果是这样,请查看新的System.DirectoryServices.AccountManagement命名空间及其提供的所有内容! Excellent intro is the MSDN article Managing Directory Security Principals in the .NET Framework 3.5 . 优秀的介绍是MSDN文章管理.NET Framework 3.5中的目录安全主体 。
For your case, you'd have to get hold of a UserPrincipal some way, eg 对于您的情况,您必须以某种方式获得UserPrincipal ,例如
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "YOURDOMAIN");
UserPrincipal me = UserPrincipal.Current;
and then you have access to a plethora of really easy to use properties and methods - eg: 然后你可以访问过多的非常容易使用的属性和方法 - 例如:
bool isLockedOut = me.IsAccountLockedOut();
and you can unlock a locked account using: 您可以使用以下方法解锁锁定的帐户:
me.UnlockAccount();
MUCH easier than the plain old System.DirectoryServices stuff! 远远高于普通的老容易System.DirectoryServices的东西!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.