stackoom
  简体   繁体   中英

Can't get AD Attribute using DirectoryEntry (LAPS Attribute)

 原文  2018-12-03 08:52:56       c#/ .net/ active-directory

Question

I'm having this issue where I can't retrieve a AD attribute via DirectoryEntry . I can get it via DirectorySearcher , but I'm unable to get or set it via DirectoryEntry .

The attribute needed is ms-Mcs-AdmPwdExpirationTime which contains a NT TimeStamp, I have read and write to this attribute.

DirectoryEntry C# error in console

Error HRESULT E_FAIL has been returned from a call to a COM component

I've tried using the following yet still unable to retrieve the attribute. 

RefreshCache (string[] propertyNames);

EDIT: 

ComputerPrincipal comp = ComputerPrincipal.FindByIdentity(ctx, MachineName);
DirectoryEntry de = (DirectoryEntry)comp.GetUnderlyingObject();
if (de.Properties.Contains("ms-Mcs-AdmPwd") == true)
{
    string Password = (String)de.Properties["ms-Mcs-AdmPwd"][0];
    Password_Input.Text = Password;
    DateTime NTTime = DateTime.FromFileTime(ConvertLargeIntegerToLong(de.Properties["ms-Mcs-AdmPwdExpirationTime"].Value));
    PasswordExpiry_Value.Text = NTTime.ToString("dd/MM/yyyy hh:mm:ss");
    Console.WriteLine();
}
else
{
    Password_Input.Text = "Password not set by LAPS";
}
// down the bottom of the .cs
private static long ConvertLargeIntegerToLong(object largeInteger)
{
    var type = largeInteger.GetType();
    var highPart = Convert.ToInt32(type.InvokeMember("HighPart", BindingFlags.GetProperty, null, largeInteger, null));
    var lowPart = Convert.ToInt32(type.InvokeMember("LowPart", BindingFlags.GetProperty, null, largeInteger, null));
    return (long)highPart << 32 | (uint)lowPart;
}

1 answers

solution1
 1  2018-12-03 17:12:54

For setting properties in the past I've used this for directoryentries

Path is the full LDAP path to the object but you can substitute de in your example above. Hopefully that's enough to resolve you're issue or at least point you in a direction.

Theres also some other answers here on why you might be getting that error.

And here 

 public Boolean set_AD_property(string attribute_, string new_value)
    {
        this.AD_object = new DirectoryEntry(this.path_);
        this.AD_object.Properties[attribute_].Value = new_value;
        try
        {
            this.AD_object.CommitChanges();
            this.AD_object.Close();
            return true;
        }
        catch (System.Exception)
        {
            return false;
        }
    }

And for reading: 

  public object get_AD_property(string attribute_)
    {
        try
        {
            using (this.AD_object = new DirectoryEntry(this.path_))
            {
                return this.AD_object.Properties[attribute_].Value;
            }
        }
        catch (ArgumentNullException x)
        {
            return new ArgumentNullException(x.Message, x);
        }
    }

Although this wont work for more complex properties like "members" or "memberOf"

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I get DOMAIN\USER from an AD DirectoryEntry? Get an Extension Attribute from AD? Can't get xs:element with attribute Can't get attribute name of xml element Azure AD Authentication using custom Authorize Attribute C# DirectoryEntry find all users with a specific attribute (wWWHomePage) I can't get the attribute name of an abstract class in c# Get Attribute from Function<T> Can't get attribute value with C# XPath Get all attributes in Attribute Editor under AD User properties
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM