stackoom
  简体   繁体   中英

Unlock an Active Directory account via C#

 原文  2018-10-03 17:52:26       c#/ active-directory

Question

I have a web/IIS server (Win2012R2) in which users authenticate against Active Directory (DC = Win2016). I cannot unlock an AD account via C# from this web server. How can I do it?

Things I have tried or proven:

  1. Creating a domain admin account and explicitly using those credentials when instantiating the PrincipalContext . Also logging into the domain controller with this admin account and unlocking the account successfully (manually). Whether I pass in a PrincipalContext with hard-coded credentials or not, I can confirm that the credentials are valid in either case (ex. ctx.ValidateCredentials("my_user", "my_pwd") ). I can confirm that my UserPrincipal is not null and that I am able to read the correct value of the user's locked status via IsAccountLockedOut() .

  2. I can successfully unlock the account using PowerShell from the web server using any domain admin account.

Code: 

string usr = HttpContext.Current.Session["CurrentUsername"].ToString();
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, usr);

if(user != null && user.IsAccountLockedOut()) {
    user.UnlockAccount();
}

Error:

System.UnauthorizedAccessException: Access is denied.
at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo()
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at System.DirectoryServices.AccountManagement.SDSUtils.WriteAttribute(String dePath, String attribute, Int32 value, NetCred credentials, AuthenticationTypes authTypes)
at System.DirectoryServices.AccountManagement.ADStoreCtx.WriteAttribute(Principal p, String attribute, Int32 value)
at System.DirectoryServices.AccountManagement.ADStoreCtx.UnlockAccount(AuthenticablePrincipal p)
at System.DirectoryServices.AccountManagement.AccountInfo.UnlockAccount()
at ASP.en_us_forgot_aspx.btnPassword_OnClick(Object sender, EventArgs e)

2 answers

solution1
 0  2018-10-03 21:11:16

The context is not relevant here. The account running the web site process in IIS needs to have permission to do the unlock.

I have a site that does this, and I had to set the site in IIS to run using a special domain account created for that purpose that only has the exact specific permissions it needs. You don't need or want a full domain admin account exposed via a web site this way.

solution2
 0 ACCPTED  2019-01-08 20:44:24

The issue in my code was related to not defining the PrincipalContext correctly. Once I followed the documentation example precisely for UserPrincipal Constructors , and discovered the OU path of the admin account I was using for the unlock, I solved the problem. 

PrincipalContext ctx = new PrincipalContext(ContextType.Domain,
                                            "ad.domainname.com",
                                            "OU=SomeOU,DC=ad,DC=domainname,DC=com",
                                            "myadminuser",
                                            "MyPa$sW0rd");

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Unlock Active-Directory Account using Systems.directoryservices.AccountManagement in c# Inherit Active Directory permissions via C# c# Active Directory via WMI Delete an user in Active Directory via C# Check if Active Directory Account is Locked out (WPF C#) how to delete computer account from Active Directory using c# Setting Active Directory Account Expiration with LDAP and C# How to get Active Directory User Account Attributes in C# Disable User Account in Active Directory using C# Code How to connect to Active Directory via LDAPS in C#?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM