I'm trying to check this information for an app i'm developing...
I'm trying to query userAccountControl, but I've figured out AD doesn't update this correctly if it's set.
This is how I currently search UserAccountControl
If (res.Properties.Contains("userAccountControl")) Then
userAccountControl = doespasswordexpire(res.Properties("userAccountControl").Item(0))
userAccountControlPNR = PasswordNotRequired(res.Properties("userAccountControl").Item(0))
userAccountControlSCR = SmartCardRequired(res.Properties("userAccountControl").Item(0))
Else
userAccountControl = ""
userAccountControlPNR = ""
userAccountControlSCR = ""
End If
How would I do this in ADSI or LDAP? I do not want to use PrincipalContext.
You cannot use the userAccountControl
attribute to modify, or even query, the "cannot change password" setting. It's listed in the Microsoft's documentation as a possible flag, but it doesn't work (not sure if it was ever intended to?).
To check if that is set you have to parse out the user's ACEs in their DACL. You can get that from the ntSecurityDescriptor
attribute of the user and programmatically parse it. There's a good starting example of that in this thread .
Some additional MSDN info here: https://msdn.microsoft.com/en-us/library/aa746398.aspx
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.