Get members of Active Directory Group and check if they are active or inactive

Question

I'm trying to search for users in AD and display them in a list box only when they are inactive. This is the code I have written

 private void button1_Click(object sender, EventArgs e)
    {
        PrincipalContext insPrincipalContext = new   PrincipalContext(ContextType.Domain, "DX", "DC=RX,DC=PX,DC=com");

        ListUser(insPrincipalContext);

    }
 private void ListUser(PrincipalContext insPrincipalContext)
    {
        UserPrincipal insUserPrincipal = new UserPrincipal(insPrincipalContext);
        insUserPrincipal.Name = "*";
        SearchUsers(insUserPrincipal);
    }
private void SearchUsers(UserPrincipal parUserPrincipal)
    {
        listBox1.Items.Clear();
        PrincipalSearcher insPrincipalSearcher = new PrincipalSearcher();
        insPrincipalSearcher.QueryFilter = parUserPrincipal;
        PrincipalSearchResult<Principal> results = insPrincipalSearcher.FindAll();
        foreach (Principal p in results)
        {

            UserPrincipal theUser = p as UserPrincipal;
            if (theUser != null)
            {
                if (***theUser.IsAccountLockedOut()***)//**Is this same as Active or Inactive?**
                {
                    listBox1.Items.Add(p);
                }
                else
                {

                }
            }
        }
    }

So my question is whether (theUser.)IsAccountLockedUp is same as asking if the user is inactive? I know one might suggest that this question is a copy of Get members of Active Directory Group and check if they are enabled or disabled but the problem here is I don't have test users to test on and I'm just starting with C#.

Thank You

Answer 1

IsAccountLockedOut corresponds to "Account is locked out" in the Active Directory account properties. This means that account was locked due to too many bad password attempts.

There is another setting in the properties "Account is disabled". This is often used by Administrators (of Identity Management Systems in large enterprise environments) to disable a account if the corresponding person left the company. So the account cannot be used anymore, but it is still there and works for SID lookup (will be displayed as name in groups or ACLs).

Ask yourself what your intention is. What do mean by "inactive" ?

You can probably use this as a starting point:

if (theUser != null)
{
    if (theUser.IsAccountLockedOut())
    {
        // account locked out
    }

    // Enabled is nullable bool
    if (!(theUser.Enabled == true))
    {
        // account disabled
    }

    if (theUser.LastLogon == null || 
        theUser.LastLogon < DateTime.Now - TimeSpan.FromDays(150))
    {
        // never logged on or last logged on long time ago
        // see below in the text for important notes !
    }
}

Checking for LastLogon can be useful to find orphaned accounts. But be aware that a women may be in maternity leave :-)

Important

In Active Directory, there are two similar attributes:

• LastLogon
• LastLogonTimeStamp

See

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

for the difference. Short: only the LastLogonTimeStamp attribute is replicated between domain controllers and can be safely used for checking orphaned accounts. But even LastLogonTimeStamp is not really accurate, but is sufficient for detecting "old" / unused accounts.

I have not yet checked to which of them UserPrinciple.LastLogon corresponds. Be careful.

I am in the process of writing an own library for searching in the AD, which is based on the System.DirectoryServices classes. This has some benefits: better control and better performance. If it is ready, I will probably make it public.