Find all locked users in AD using c#
Question
The code listed below works fine for me however i would like a list of all users that are locked as opposed to specifying a particular user, can some one help me broaden the scope of this code please
using (var context = new PrincipalContext( ContextType.Domain ))
{
using (var user = UserPrincipal.FindByIdentity( context,
IdentityType.SamAccountName,
name ))
{
if (user.IsAccountLockedOut())
{
... your code here...
}
}
}
The code listed above works fine for me however i would like a list of all users that are locked as opposed to specifying a particular user.
Here is what ended up working - Thanks to all contributors.
when a user is locked they dont go to "not locked" until they log in (when refferencing the lockedout clause in a ldap search); so... Using the locked out qry Gives you a broad list of locked out users which you can then narrow down with the isaccountlockedout() method. Regards!
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.DirectoryServices;
using System.DirectoryServices.ActiveDirectory;
using System.DirectoryServices.AccountManagement;
namespace ConsoleApplication5
{
class Lockout : IDisposable
{
DirectoryContext context;
DirectoryEntry root;
public Lockout()
{
string domainName = "domain.com";
this.context = new DirectoryContext(
DirectoryContextType.Domain,
domainName
);
//get our current domain policy
Domain domain = Domain.GetDomain(this.context);
this.root = domain.GetDirectoryEntry();
}
public void FindLockedAccounts()
{
string qry = " (&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295)(!UserAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)))) ";
DirectorySearcher ds = new DirectorySearcher(
this.root,
qry
);
using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
using (var context = new PrincipalContext( ContextType.Domain ))
{
string name = sr.Properties["SamAccountName"][0].ToString();
using (var user = UserPrincipal.FindByIdentity( context,
IdentityType.SamAccountName,
name ))
{
if (user.IsAccountLockedOut())
{
Console.WriteLine("{0} is locked out", sr.Properties["name"][0]);
}
}
}
}
}
}
public void Dispose()
{
if (this.root != null)
{
this.root.Dispose();
}
}
}
}
2 answers
solution1
2 ACCPTED 2014-09-03 23:24:22
Edit: Misread question. Updated answer
Try it now
Why not just:
var lockedUsers = new List<UserPrincipal>();
using (var context = new PrincipalContext(ContextType.Domain))
{
GroupPrincipal grp = GroupPrincipal.FindByIdentity(context, IdentityType.SamAccountName, "Domain Users");
foreach (var userPrincipal in grp.GetMembers(false))
{
var user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, userPrincipal.UserPrincipalName);
if (user != null)
{
if (user.IsAccountLockedOut())
{
lockedUsers.Add(user);
}
}
}
}
//Deal with list here
solution2
2 2014-09-03 23:25:02
You can use the lockoutTime attribute, but, it's not necessarily trivial. The attribute has the time the user was locked out at. So, if your domain has a single lockout policy, you can do a search for everyone whose lockoutTime value is greater than or equal to (UTC Now - Lockout Duration).
If you have multiple lockout policies via fine grained password policies, then this is not so easy since you need to calculate it on a per user basis.
If your domain has a permanent lockout (eg you must request an account unlock), you can search on greater than zero.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.