ADSI Account Lockout

Hi,

I am looking for a way to use System.DirectoryServices to find all users on
a domain whos accounts are either locked out or disabled. I have used
ADSIEdit and the mmc schema add-in to try and find properties for these
things but have not had any luck so far. Also i did a search on the
Platform SDK doc's. It has examples in VB and C++ but these are not using
DotNet and dont give any hint to a property that may be used. They seem to
call a method directly on a object, and i am sure that method is not
available as part of a DirectoryEntry class.

I have a feeling i may need to do a Invoke (as you do when you reset a users
password from DotNet) if i do have to do this then how can i do a search of
all users in a domain?

I would also like to be able to Enable or Disable a account from my
application (This is Account Lockout and Account Disabled).

thanks for any help anyone can offer.

Arran

re: ADSI Account Lockout

"Arran Pearce" <arran.pearce@bacoll.ac.uk> wrote in
news:#m2xLdZmDHA.2676@TK2MSFTNGP11.phx.gbl:
[color=blue]
> Hi,
>
> I am looking for a way to use System.DirectoryServices to find all
> users on a domain whos accounts are either locked out or disabled. I
> have used ADSIEdit and the mmc schema add-in to try and find
> properties for these things but have not had any luck so far. Also i
> did a search on the Platform SDK doc's. It has examples in VB and C++
> but these are not using DotNet and dont give any hint to a property
> that may be used. They seem to call a method directly on a object,
> and i am sure that method is not available as part of a DirectoryEntry
> class.
>
> I have a feeling i may need to do a Invoke as you do when you reset a
> users password from DotNet) if i do have to do this then how can i do
> a search of all users in a domain?
>
> I would also like to be able to Enable or Disable a account from my
> application (This is Account Lockout and Account Disabled).
>
> thanks for any help anyone can offer.
>
> Arran
>
>
>[/color]


When you have your DirectoryEntry with a User (ie deUser) check the
userAccountControl Flag Property:

deUser["userAccountControl"]

if the account is looked due to expiration you may want to check

deUser["accountExpires"]


--
best regards

Peter Koen
-----------------------------------
MCAD, CAI/R, CAI/S, CASE/RS, CAT/RS
http://www.kema.at

re: ADSI Account Lockout

Hi Arran,

Just as Peter said, you should use the userAccountControl property.
For Lockout and Disabled acount, you should refer to ADS_UF_LOCKOUT and
ADS_UF_ACCOUNTDISABLE flag which are defined in ADS_USER_FLAG_ENUM enum.
Please refer to ADS_USER_FLAG_ENUM enum at the link below:
http://msdn.microsoft.com/library/de...us/netdir/adsi
/ads_user_flag_enum.asp

You also can find a small sample of how to enable and disable a user acount:
http://msdn.microsoft.com/library/de...us/netdir/netd
s/enabling_and_disabling_the_user_account.asp

If you still have any questions, please feel free to let me know.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| From: "Arran Pearce" <arran.pearce@bacoll.ac.uk>
| Subject: ADSI Account Lockout
| Date: Thu, 23 Oct 2003 19:58:59 +0100
| Lines: 23
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <#m2xLdZmDHA.2676@TK2MSFTNGP11.phx.gbl>
| Newsgroups: microsoft.public.dotnet.languages.csharp
| NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworld.com
213.122.124.127
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP11.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.languages.csharp:193614
| X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
|
| Hi,
|
| I am looking for a way to use System.DirectoryServices to find all users
on
| a domain whos accounts are either locked out or disabled. I have used
| ADSIEdit and the mmc schema add-in to try and find properties for these
| things but have not had any luck so far. Also i did a search on the
| Platform SDK doc's. It has examples in VB and C++ but these are not using
| DotNet and dont give any hint to a property that may be used. They seem
to
| call a method directly on a object, and i am sure that method is not
| available as part of a DirectoryEntry class.
|
| I have a feeling i may need to do a Invoke (as you do when you reset a
users
| password from DotNet) if i do have to do this then how can i do a search
of
| all users in a domain?
|
| I would also like to be able to Enable or Disable a account from my
| application (This is Account Lockout and Account Disabled).
|
| thanks for any help anyone can offer.
|
| Arran
|
|
|

re: ADSI Account Lockout

Thanks for all your help.


""Jeffrey Tan[MSFT]"" <v-jetan@online.microsoft.com> wrote in message
news:%23HAV%23kfmDHA.1772@cpmsftngxa06.phx.gbl...[color=blue]
>
> Hi Arran,
>
> Just as Peter said, you should use the userAccountControl property.
> For Lockout and Disabled acount, you should refer to ADS_UF_LOCKOUT and
> ADS_UF_ACCOUNTDISABLE flag which are defined in ADS_USER_FLAG_ENUM enum.
> Please refer to ADS_USER_FLAG_ENUM enum at the link below:
>[/color]
http://msdn.microsoft.com/library/de...us/netdir/adsi[color=blue]
> /ads_user_flag_enum.asp
>
> You also can find a small sample of how to enable and disable a user[/color]
acount:[color=blue]
>[/color]
http://msdn.microsoft.com/library/de...us/netdir/netd[color=blue]
> s/enabling_and_disabling_the_user_account.asp
>
> If you still have any questions, please feel free to let me know.
>
> Best regards,
> Jeffrey Tan
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
> This posting is provided "as is" with no warranties and confers no rights.
>
> --------------------
> | From: "Arran Pearce" <arran.pearce@bacoll.ac.uk>
> | Subject: ADSI Account Lockout
> | Date: Thu, 23 Oct 2003 19:58:59 +0100
> | Lines: 23
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> | Message-ID: <#m2xLdZmDHA.2676@TK2MSFTNGP11.phx.gbl>
> | Newsgroups: microsoft.public.dotnet.languages.csharp
> | NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworld.com
> 213.122.124.127
> | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP11.phx.gbl
> | Xref: cpmsftngxa06.phx.gbl[/color]
microsoft.public.dotnet.languages.csharp:193614[color=blue]
> | X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
> |
> | Hi,
> |
> | I am looking for a way to use System.DirectoryServices to find all users
> on
> | a domain whos accounts are either locked out or disabled. I have used
> | ADSIEdit and the mmc schema add-in to try and find properties for these
> | things but have not had any luck so far. Also i did a search on the
> | Platform SDK doc's. It has examples in VB and C++ but these are not[/color]
using[color=blue]
> | DotNet and dont give any hint to a property that may be used. They seem
> to
> | call a method directly on a object, and i am sure that method is not
> | available as part of a DirectoryEntry class.
> |
> | I have a feeling i may need to do a Invoke (as you do when you reset a
> users
> | password from DotNet) if i do have to do this then how can i do a[/color]
search[color=blue]
> of
> | all users in a domain?
> |
> | I would also like to be able to Enable or Disable a account from my
> | application (This is Account Lockout and Account Disabled).
> |
> | thanks for any help anyone can offer.
> |
> | Arran
> |
> |
> |
>[/color]

re: ADSI Account Lockout

Hi Arran,

If you still have anything unclear, please feel free to tell me.
Have a nice weekand.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| From: "Arran Pearce" <arran.pearce@bacoll.ac.uk>
| References: <#m2xLdZmDHA.2676@TK2MSFTNGP11.phx.gbl>
<#HAV#kfmDHA.1772@cpmsftngxa06.phx.gbl>
| Subject: Re: ADSI Account Lockout
| Date: Fri, 24 Oct 2003 19:12:12 +0100
| Lines: 81
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <#ipErnlmDHA.988@TK2MSFTNGP10.phx.gbl>
| Newsgroups: microsoft.public.dotnet.languages.csharp
| NNTP-Posting-Host: host213-122-88-5.in-addr.btopenworld.com 213.122.88.5
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.languages.csharp:193875
| X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
|
| Thanks for all your help.
|
|
| ""Jeffrey Tan[MSFT]"" <v-jetan@online.microsoft.com> wrote in message
| news:%23HAV%23kfmDHA.1772@cpmsftngxa06.phx.gbl...
| >
| > Hi Arran,
| >
| > Just as Peter said, you should use the userAccountControl property.
| > For Lockout and Disabled acount, you should refer to ADS_UF_LOCKOUT and
| > ADS_UF_ACCOUNTDISABLE flag which are defined in ADS_USER_FLAG_ENUM enum.
| > Please refer to ADS_USER_FLAG_ENUM enum at the link below:
| >
|
http://msdn.microsoft.com/library/de...us/netdir/adsi
| > /ads_user_flag_enum.asp
| >
| > You also can find a small sample of how to enable and disable a user
| acount:
| >
|
http://msdn.microsoft.com/library/de...us/netdir/netd
| > s/enabling_and_disabling_the_user_account.asp
| >
| > If you still have any questions, please feel free to let me know.
| >
| > Best regards,
| > Jeffrey Tan
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| > This posting is provided "as is" with no warranties and confers no
rights.
| >
| > --------------------
| > | From: "Arran Pearce" <arran.pearce@bacoll.ac.uk>
| > | Subject: ADSI Account Lockout
| > | Date: Thu, 23 Oct 2003 19:58:59 +0100
| > | Lines: 23
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | Message-ID: <#m2xLdZmDHA.2676@TK2MSFTNGP11.phx.gbl>
| > | Newsgroups: microsoft.public.dotnet.languages.csharp
| > | NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworld.com
| > 213.122.124.127
| > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP11.phx.gbl
| > | Xref: cpmsftngxa06.phx.gbl
| microsoft.public.dotnet.languages.csharp:193614
| > | X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
| > |
| > | Hi,
| > |
| > | I am looking for a way to use System.DirectoryServices to find all
users
| > on
| > | a domain whos accounts are either locked out or disabled. I have used
| > | ADSIEdit and the mmc schema add-in to try and find properties for
these
| > | things but have not had any luck so far. Also i did a search on the
| > | Platform SDK doc's. It has examples in VB and C++ but these are not
| using
| > | DotNet and dont give any hint to a property that may be used. They
seem
| > to
| > | call a method directly on a object, and i am sure that method is not
| > | available as part of a DirectoryEntry class.
| > |
| > | I have a feeling i may need to do a Invoke (as you do when you reset a
| > users
| > | password from DotNet) if i do have to do this then how can i do a
| search
| > of
| > | all users in a domain?
| > |
| > | I would also like to be able to Enable or Disable a account from my
| > | application (This is Account Lockout and Account Disabled).
| > |
| > | thanks for any help anyone can offer.
| > |
| > | Arran
| > |
| > |
| > |
| >
|
|
|

re: ADSI Account Lockout

In the example for enable or disable the account it has this:

int val = (int) usr.Properties["userAccountControl"].Value;
usr.Properties["userAccountControl"].Value = val | ADS_UF_ACCOUNTDISABLE;

and

int val = (int) usr.Properties["userAccountControl"].Value;
usr.Properties["userAccountControl"].Value = val & ~ADS_UF_ACCOUNTDISABLE;

What is happening with the "val | ADS_UF_ACCOUNTDISABLE" and "val &
~ADS_UF_ACCOUNTDISABLE"?



""Jeffrey Tan[MSFT]"" <v-jetan@online.microsoft.com> wrote in message
news:7Nh%23KWsmDHA.1544@cpmsftngxa06.phx.gbl...[color=blue]
>
> Hi Arran,
>
> If you still have anything unclear, please feel free to tell me.
> Have a nice weekand.
>
> Best regards,
> Jeffrey Tan
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
> This posting is provided "as is" with no warranties and confers no rights.
>
> --------------------
> | From: "Arran Pearce" <arran.pearce@bacoll.ac.uk>
> | References: <#m2xLdZmDHA.2676@TK2MSFTNGP11.phx.gbl>
> <#HAV#kfmDHA.1772@cpmsftngxa06.phx.gbl>
> | Subject: Re: ADSI Account Lockout
> | Date: Fri, 24 Oct 2003 19:12:12 +0100
> | Lines: 81
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> | Message-ID: <#ipErnlmDHA.988@TK2MSFTNGP10.phx.gbl>
> | Newsgroups: microsoft.public.dotnet.languages.csharp
> | NNTP-Posting-Host: host213-122-88-5.in-addr.btopenworld.com 213.122.88.5
> | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
> | Xref: cpmsftngxa06.phx.gbl[/color]
microsoft.public.dotnet.languages.csharp:193875[color=blue]
> | X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
> |
> | Thanks for all your help.
> |
> |
> | ""Jeffrey Tan[MSFT]"" <v-jetan@online.microsoft.com> wrote in message
> | news:%23HAV%23kfmDHA.1772@cpmsftngxa06.phx.gbl...
> | >
> | > Hi Arran,
> | >
> | > Just as Peter said, you should use the userAccountControl property.
> | > For Lockout and Disabled acount, you should refer to ADS_UF_LOCKOUT[/color]
and[color=blue]
> | > ADS_UF_ACCOUNTDISABLE flag which are defined in ADS_USER_FLAG_ENUM[/color]
enum.[color=blue]
> | > Please refer to ADS_USER_FLAG_ENUM enum at the link below:
> | >
> |
>[/color]
http://msdn.microsoft.com/library/de...us/netdir/adsi[color=blue]
> | > /ads_user_flag_enum.asp
> | >
> | > You also can find a small sample of how to enable and disable a user
> | acount:
> | >
> |
>[/color]
http://msdn.microsoft.com/library/de...us/netdir/netd[color=blue]
> | > s/enabling_and_disabling_the_user_account.asp
> | >
> | > If you still have any questions, please feel free to let me know.
> | >
> | > Best regards,
> | > Jeffrey Tan
> | > Microsoft Online Partner Support
> | > Get Secure! - www.microsoft.com/security
> | > This posting is provided "as is" with no warranties and confers no
> rights.
> | >
> | > --------------------
> | > | From: "Arran Pearce" <arran.pearce@bacoll.ac.uk>
> | > | Subject: ADSI Account Lockout
> | > | Date: Thu, 23 Oct 2003 19:58:59 +0100
> | > | Lines: 23
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> | > | Message-ID: <#m2xLdZmDHA.2676@TK2MSFTNGP11.phx.gbl>
> | > | Newsgroups: microsoft.public.dotnet.languages.csharp
> | > | NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworld.com
> | > 213.122.124.127
> | > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP11.phx.gbl
> | > | Xref: cpmsftngxa06.phx.gbl
> | microsoft.public.dotnet.languages.csharp:193614
> | > | X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
> | > |
> | > | Hi,
> | > |
> | > | I am looking for a way to use System.DirectoryServices to find all
> users
> | > on
> | > | a domain whos accounts are either locked out or disabled. I have[/color]
used[color=blue]
> | > | ADSIEdit and the mmc schema add-in to try and find properties for
> these
> | > | things but have not had any luck so far. Also i did a search on the
> | > | Platform SDK doc's. It has examples in VB and C++ but these are not
> | using
> | > | DotNet and dont give any hint to a property that may be used. They
> seem
> | > to
> | > | call a method directly on a object, and i am sure that method is not
> | > | available as part of a DirectoryEntry class.
> | > |
> | > | I have a feeling i may need to do a Invoke (as you do when you reset[/color]
a[color=blue]
> | > users
> | > | password from DotNet) if i do have to do this then how can i do a
> | search
> | > of
> | > | all users in a domain?
> | > |
> | > | I would also like to be able to Enable or Disable a account from my
> | > | application (This is Account Lockout and Account Disabled).
> | > |
> | > | thanks for any help anyone can offer.
> | > |
> | > | Arran
> | > |
> | > |
> | > |
> | >
> |
> |
> |
>[/color]

re: ADSI Account Lockout

v-jetan@online.microsoft.com ("Jeffrey Tan[MSFT]") wrote in
news:7Nh#KWsmDHA.1544@cpmsftngxa06.phx.gbl:

Hi Jeffrey,
[color=blue]
> If you still have anything unclear, please feel free to tell me.
> Have a nice weekand.[/color]

Although I've already worked a lot with DirectyServices I'd have a question
about AccountExpiration.

In the Platform SDK I've learned that AccountExpires is disabled if it has
the value of -1 or a DateTime value if enabled. That's fine with C++. But
with directoryServices I get a DateTime property and I can't set the value
to -1.

How can I disable AccountExpires without falling back to unmanaged code or
COMInterop, P/Invoke calls?

--
best regards

Peter Koen
-----------------------------------
MCAD, CAI/R, CAI/S, CASE/RS, CAT/RS
http://www.kema.at

re: ADSI Account Lockout

Hi Peter,

In .Net, when you use DirectoryEntry to disable AccountExpires, I think you
can just set its value to -1, no need to convert -1 to DateTime object.
Because, the Value of PropertyValueCollection is just a object.

Something like this:
DirectoryEntry usr = new DirectoryEntry("LDAP://CN=Jeff smith, OU=Sales,
DC=Fabrikam, DC=Com")
DateTime dt = (DateTime) usr.Properties["AccountExpires"].Value;
usr.Properties["AccountExpires"].Value = -1;
usr.CommitChanges();

Anything wrong with doing this?

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| Subject: Re: ADSI Account Lockout
| From: Peter Koen <koen-newsreply&snusnu.at>
| References: <#m2xLdZmDHA.2676@TK2MSFTNGP11.phx.gbl>
<#HAV#kfmDHA.1772@cpmsftngxa06.phx.gbl>
<#ipErnlmDHA.988@TK2MSFTNGP10.phx.gbl>
<7Nh#KWsmDHA.1544@cpmsftngxa06.phx.gbl>
| Organization: Koen Electronic Media Agency
| User-Agent: Xnews/5.04.25
| Message-ID: <esolb2xmDHA.1740@TK2MSFTNGP12.phx.gbl>
| Newsgroups: microsoft.public.dotnet.languages.csharp
| Date: Sat, 25 Oct 2003 10:29:54 -0700
| NNTP-Posting-Host: ist.doch.alles.nur.belangloses.blablabla.at
212.24.113.98
| Lines: 1
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP12.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.languages.csharp:194035
| X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
|
| v-jetan@online.microsoft.com ("Jeffrey Tan[MSFT]") wrote in
| news:7Nh#KWsmDHA.1544@cpmsftngxa06.phx.gbl:
|
| Hi Jeffrey,
|
| > If you still have anything unclear, please feel free to tell me.
| > Have a nice weekand.
|
| Although I've already worked a lot with DirectyServices I'd have a
question
| about AccountExpiration.
|
| In the Platform SDK I've learned that AccountExpires is disabled if it
has
| the value of -1 or a DateTime value if enabled. That's fine with C++. But
| with directoryServices I get a DateTime property and I can't set the
value
| to -1.
|
| How can I disable AccountExpires without falling back to unmanaged code
or
| COMInterop, P/Invoke calls?
|
| --
| best regards
|
| Peter Koen
| -----------------------------------
| MCAD, CAI/R, CAI/S, CASE/RS, CAT/RS
| http://www.kema.at
|

re: ADSI Account Lockout

Hi Arran,

~, |, & are the bitwise operators of C# language.
You can find ADS_UF_ACCOUNTDISABLEa in ADS_USER_FLAG_ENUM:
http://msdn.microsoft.com/library/de...us/netdir/adsi
/ads_user_flag_enum.asp
that ADS_UF_ACCOUNTDISABLE= 0x0002;

0x0002's binary expression is 0000,0000,0000,0010, so ~0x0002 is
1111,1111,1111,1101.
val & ~ADS_UF_ACCOUNTDISABLE equals val&1111,1111,1111,1101 which makes all
the other bits stay the same value as before, only the second bit becomes 0.
Then, when invoke CommitChanges(), .Net Framework will check second bit of
userAccountControl property, and 0 means enable.

Alike, val | ADS_UF_ACCOUNTDISABLE equals valu| 0000,0000,0000,0010 which
makes all bits stay the same, second bit becomes 1.
This makes diable the user account.

Hope I explain clear.
If you still have any unclear, please feel free to tell me.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| From: "Arran Pearce" <arran.pearce@bacoll.ac.uk>
| References: <#m2xLdZmDHA.2676@TK2MSFTNGP11.phx.gbl>
<#HAV#kfmDHA.1772@cpmsftngxa06.phx.gbl>
<#ipErnlmDHA.988@TK2MSFTNGP10.phx.gbl>
<7Nh#KWsmDHA.1544@cpmsftngxa06.phx.gbl>
| Subject: Re: ADSI Account Lockout
| Date: Sat, 25 Oct 2003 18:14:07 +0100
| Lines: 145
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <#Qe43rxmDHA.2772@TK2MSFTNGP10.phx.gbl>
| Newsgroups: microsoft.public.dotnet.languages.csharp
| NNTP-Posting-Host: host213-122-67-95.in-addr.btopenworld.com 213.122.67.95
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.languages.csharp:194030
| X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
|
| In the example for enable or disable the account it has this:
|
| int val = (int) usr.Properties["userAccountControl"].Value;
| usr.Properties["userAccountControl"].Value = val | ADS_UF_ACCOUNTDISABLE;
|
| and
|
| int val = (int) usr.Properties["userAccountControl"].Value;
| usr.Properties["userAccountControl"].Value = val & ~ADS_UF_ACCOUNTDISABLE;
|
| What is happening with the "val | ADS_UF_ACCOUNTDISABLE" and "val &
| ~ADS_UF_ACCOUNTDISABLE"?
|
|
|
| ""Jeffrey Tan[MSFT]"" <v-jetan@online.microsoft.com> wrote in message
| news:7Nh%23KWsmDHA.1544@cpmsftngxa06.phx.gbl...
| >
| > Hi Arran,
| >
| > If you still have anything unclear, please feel free to tell me.
| > Have a nice weekand.
| >
| > Best regards,
| > Jeffrey Tan
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| > This posting is provided "as is" with no warranties and confers no
rights.
| >
| > --------------------
| > | From: "Arran Pearce" <arran.pearce@bacoll.ac.uk>
| > | References: <#m2xLdZmDHA.2676@TK2MSFTNGP11.phx.gbl>
| > <#HAV#kfmDHA.1772@cpmsftngxa06.phx.gbl>
| > | Subject: Re: ADSI Account Lockout
| > | Date: Fri, 24 Oct 2003 19:12:12 +0100
| > | Lines: 81
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | Message-ID: <#ipErnlmDHA.988@TK2MSFTNGP10.phx.gbl>
| > | Newsgroups: microsoft.public.dotnet.languages.csharp
| > | NNTP-Posting-Host: host213-122-88-5.in-addr.btopenworld.com
213.122.88.5
| > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
| > | Xref: cpmsftngxa06.phx.gbl
| microsoft.public.dotnet.languages.csharp:193875
| > | X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
| > |
| > | Thanks for all your help.
| > |
| > |
| > | ""Jeffrey Tan[MSFT]"" <v-jetan@online.microsoft.com> wrote in message
| > | news:%23HAV%23kfmDHA.1772@cpmsftngxa06.phx.gbl...
| > | >
| > | > Hi Arran,
| > | >
| > | > Just as Peter said, you should use the userAccountControl property.
| > | > For Lockout and Disabled acount, you should refer to ADS_UF_LOCKOUT
| and
| > | > ADS_UF_ACCOUNTDISABLE flag which are defined in ADS_USER_FLAG_ENUM
| enum.
| > | > Please refer to ADS_USER_FLAG_ENUM enum at the link below:
| > | >
| > |
| >
|
http://msdn.microsoft.com/library/de...us/netdir/adsi
| > | > /ads_user_flag_enum.asp
| > | >
| > | > You also can find a small sample of how to enable and disable a user
| > | acount:
| > | >
| > |
| >
|
http://msdn.microsoft.com/library/de...us/netdir/netd
| > | > s/enabling_and_disabling_the_user_account.asp
| > | >
| > | > If you still have any questions, please feel free to let me know.
| > | >
| > | > Best regards,
| > | > Jeffrey Tan
| > | > Microsoft Online Partner Support
| > | > Get Secure! - www.microsoft.com/security
| > | > This posting is provided "as is" with no warranties and confers no
| > rights.
| > | >
| > | > --------------------
| > | > | From: "Arran Pearce" <arran.pearce@bacoll.ac.uk>
| > | > | Subject: ADSI Account Lockout
| > | > | Date: Thu, 23 Oct 2003 19:58:59 +0100
| > | > | Lines: 23
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | > | Message-ID: <#m2xLdZmDHA.2676@TK2MSFTNGP11.phx.gbl>
| > | > | Newsgroups: microsoft.public.dotnet.languages.csharp
| > | > | NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworld.com
| > | > 213.122.124.127
| > | > | Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP11.phx.gbl
| > | > | Xref: cpmsftngxa06.phx.gbl
| > | microsoft.public.dotnet.languages.csharp:193614
| > | > | X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
| > | > |
| > | > | Hi,
| > | > |
| > | > | I am looking for a way to use System.DirectoryServices to find all
| > users
| > | > on
| > | > | a domain whos accounts are either locked out or disabled. I have
| used
| > | > | ADSIEdit and the mmc schema add-in to try and find properties for
| > these
| > | > | things but have not had any luck so far. Also i did a search on
the
| > | > | Platform SDK doc's. It has examples in VB and C++ but these are
not
| > | using
| > | > | DotNet and dont give any hint to a property that may be used.
They
| > seem
| > | > to
| > | > | call a method directly on a object, and i am sure that method is
not
| > | > | available as part of a DirectoryEntry class.
| > | > |
| > | > | I have a feeling i may need to do a Invoke (as you do when you
reset
| a
| > | > users
| > | > | password from DotNet) if i do have to do this then how can i do a
| > | search
| > | > of
| > | > | all users in a domain?
| > | > |
| > | > | I would also like to be able to Enable or Disable a account from
my
| > | > | application (This is Account Lockout and Account Disabled).
| > | > |
| > | > | thanks for any help anyone can offer.
| > | > |
| > | > | Arran
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| >
|
|
|

re: ADSI Account Lockout

v-jetan@online.microsoft.com ("Jeffrey Tan[MSFT]") wrote in
news:DFn7L5EnDHA.2808@cpmsftngxa06.phx.gbl:
[color=blue]
> In .Net, when you use DirectoryEntry to disable AccountExpires, I
> think you can just set its value to -1, no need to convert -1 to
> DateTime object. Because, the Value of PropertyValueCollection is just
> a object.
>
> Something like this:
> DirectoryEntry usr = new DirectoryEntry("LDAP://CN=Jeff smith,
> OU=Sales, DC=Fabrikam, DC=Com")
> DateTime dt = (DateTime) usr.Properties["AccountExpires"].Value;
> usr.Properties["AccountExpires"].Value = -1;
> usr.CommitChanges();
>
> Anything wrong with doing this?[/color]

Yes, there is a lot wrong with this:

1) .NET can't convert -1 to DateTime. There is no suitable conversion.
2) DirectoryServices is implemented as a RCW on top of the ADSI, In the
warpper it tests for types. I can'T assign a value of -1 to a DateTime
Property.

Only way I could achieve this behaviour as calling the ADSI Interfaces
directly.

I think there are a few serious design flaws in the DirectoryServices
object model. And it is very unconvinient that there is absolut no
working .NET equivalent for ADSI stuff like IUser, IComputer.

Now with win2k3 it would be the time to bring a truly managed AD
interface, don't you think so?


--
------ooo---OOO---ooo------

Peter Koen - www.kema.at
MCAD CAI/RS CASE/RS IAT

------ooo---OOO---ooo------

re: ADSI Account Lockout

yeah i think i get it.

will give it a try asap.

again many thanks for your help.

""Jeffrey Tan[MSFT]"" <v-jetan@online.microsoft.com> wrote in message
news:GW8xAGFnDHA.2624@cpmsftngxa06.phx.gbl...[color=blue]
>
> Hi Arran,
>
> ~, |, & are the bitwise operators of C# language.
> You can find ADS_UF_ACCOUNTDISABLEa in ADS_USER_FLAG_ENUM:
>[/color]
http://msdn.microsoft.com/library/de...us/netdir/adsi[color=blue]
> /ads_user_flag_enum.asp
> that ADS_UF_ACCOUNTDISABLE= 0x0002;
>
> 0x0002's binary expression is 0000,0000,0000,0010, so ~0x0002 is
> 1111,1111,1111,1101.
> val & ~ADS_UF_ACCOUNTDISABLE equals val&1111,1111,1111,1101 which makes[/color]
all[color=blue]
> the other bits stay the same value as before, only the second bit becomes[/color]
0.[color=blue]
> Then, when invoke CommitChanges(), .Net Framework will check second bit of
> userAccountControl property, and 0 means enable.
>
> Alike, val | ADS_UF_ACCOUNTDISABLE equals valu| 0000,0000,0000,0010 which
> makes all bits stay the same, second bit becomes 1.
> This makes diable the user account.
>
> Hope I explain clear.
> If you still have any unclear, please feel free to tell me.
>
> Best regards,
> Jeffrey Tan
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
> This posting is provided "as is" with no warranties and confers no rights.
>
> --------------------
> | From: "Arran Pearce" <arran.pearce@bacoll.ac.uk>
> | References: <#m2xLdZmDHA.2676@TK2MSFTNGP11.phx.gbl>
> <#HAV#kfmDHA.1772@cpmsftngxa06.phx.gbl>
> <#ipErnlmDHA.988@TK2MSFTNGP10.phx.gbl>
> <7Nh#KWsmDHA.1544@cpmsftngxa06.phx.gbl>
> | Subject: Re: ADSI Account Lockout
> | Date: Sat, 25 Oct 2003 18:14:07 +0100
> | Lines: 145
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> | Message-ID: <#Qe43rxmDHA.2772@TK2MSFTNGP10.phx.gbl>
> | Newsgroups: microsoft.public.dotnet.languages.csharp
> | NNTP-Posting-Host: host213-122-67-95.in-addr.btopenworld.com[/color]
213.122.67.95[color=blue]
> | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
> | Xref: cpmsftngxa06.phx.gbl[/color]
microsoft.public.dotnet.languages.csharp:194030[color=blue]
> | X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
> |
> | In the example for enable or disable the account it has this:
> |
> | int val = (int) usr.Properties["userAccountControl"].Value;
> | usr.Properties["userAccountControl"].Value = val |[/color]
ADS_UF_ACCOUNTDISABLE;[color=blue]
> |
> | and
> |
> | int val = (int) usr.Properties["userAccountControl"].Value;
> | usr.Properties["userAccountControl"].Value = val &[/color]
~ADS_UF_ACCOUNTDISABLE;[color=blue]
> |
> | What is happening with the "val | ADS_UF_ACCOUNTDISABLE" and "val &
> | ~ADS_UF_ACCOUNTDISABLE"?
> |
> |
> |
> | ""Jeffrey Tan[MSFT]"" <v-jetan@online.microsoft.com> wrote in message
> | news:7Nh%23KWsmDHA.1544@cpmsftngxa06.phx.gbl...
> | >
> | > Hi Arran,
> | >
> | > If you still have anything unclear, please feel free to tell me.
> | > Have a nice weekand.
> | >
> | > Best regards,
> | > Jeffrey Tan
> | > Microsoft Online Partner Support
> | > Get Secure! - www.microsoft.com/security
> | > This posting is provided "as is" with no warranties and confers no
> rights.
> | >
> | > --------------------
> | > | From: "Arran Pearce" <arran.pearce@bacoll.ac.uk>
> | > | References: <#m2xLdZmDHA.2676@TK2MSFTNGP11.phx.gbl>
> | > <#HAV#kfmDHA.1772@cpmsftngxa06.phx.gbl>
> | > | Subject: Re: ADSI Account Lockout
> | > | Date: Fri, 24 Oct 2003 19:12:12 +0100
> | > | Lines: 81
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> | > | Message-ID: <#ipErnlmDHA.988@TK2MSFTNGP10.phx.gbl>
> | > | Newsgroups: microsoft.public.dotnet.languages.csharp
> | > | NNTP-Posting-Host: host213-122-88-5.in-addr.btopenworld.com
> 213.122.88.5
> | > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
> | > | Xref: cpmsftngxa06.phx.gbl
> | microsoft.public.dotnet.languages.csharp:193875
> | > | X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
> | > |
> | > | Thanks for all your help.
> | > |
> | > |
> | > | ""Jeffrey Tan[MSFT]"" <v-jetan@online.microsoft.com> wrote in[/color]
message[color=blue]
> | > | news:%23HAV%23kfmDHA.1772@cpmsftngxa06.phx.gbl...
> | > | >
> | > | > Hi Arran,
> | > | >
> | > | > Just as Peter said, you should use the userAccountControl[/color]
property.[color=blue]
> | > | > For Lockout and Disabled acount, you should refer to[/color]
ADS_UF_LOCKOUT[color=blue]
> | and
> | > | > ADS_UF_ACCOUNTDISABLE flag which are defined in ADS_USER_FLAG_ENUM
> | enum.
> | > | > Please refer to ADS_USER_FLAG_ENUM enum at the link below:
> | > | >
> | > |
> | >
> |
>[/color]
http://msdn.microsoft.com/library/de...us/netdir/adsi[color=blue]
> | > | > /ads_user_flag_enum.asp
> | > | >
> | > | > You also can find a small sample of how to enable and disable a[/color]
user[color=blue]
> | > | acount:
> | > | >
> | > |
> | >
> |
>[/color]
http://msdn.microsoft.com/library/de...us/netdir/netd[color=blue]
> | > | > s/enabling_and_disabling_the_user_account.asp
> | > | >
> | > | > If you still have any questions, please feel free to let me know.
> | > | >
> | > | > Best regards,
> | > | > Jeffrey Tan
> | > | > Microsoft Online Partner Support
> | > | > Get Secure! - www.microsoft.com/security
> | > | > This posting is provided "as is" with no warranties and confers no
> | > rights.
> | > | >
> | > | > --------------------
> | > | > | From: "Arran Pearce" <arran.pearce@bacoll.ac.uk>
> | > | > | Subject: ADSI Account Lockout
> | > | > | Date: Thu, 23 Oct 2003 19:58:59 +0100
> | > | > | Lines: 23
> | > | > | X-Priority: 3
> | > | > | X-MSMail-Priority: Normal
> | > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> | > | > | Message-ID: <#m2xLdZmDHA.2676@TK2MSFTNGP11.phx.gbl>
> | > | > | Newsgroups: microsoft.public.dotnet.languages.csharp
> | > | > | NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworld.com
> | > | > 213.122.124.127
> | > | > | Path:
> cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP11.phx.gbl
> | > | > | Xref: cpmsftngxa06.phx.gbl
> | > | microsoft.public.dotnet.languages.csharp:193614
> | > | > | X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
> | > | > |
> | > | > | Hi,
> | > | > |
> | > | > | I am looking for a way to use System.DirectoryServices to find[/color]
all[color=blue]
> | > users
> | > | > on
> | > | > | a domain whos accounts are either locked out or disabled. I[/color]
have[color=blue]
> | used
> | > | > | ADSIEdit and the mmc schema add-in to try and find properties[/color]
for[color=blue]
> | > these
> | > | > | things but have not had any luck so far. Also i did a search on
> the
> | > | > | Platform SDK doc's. It has examples in VB and C++ but these are
> not
> | > | using
> | > | > | DotNet and dont give any hint to a property that may be used.
> They
> | > seem
> | > | > to
> | > | > | call a method directly on a object, and i am sure that method is
> not
> | > | > | available as part of a DirectoryEntry class.
> | > | > |
> | > | > | I have a feeling i may need to do a Invoke (as you do when you
> reset
> | a
> | > | > users
> | > | > | password from DotNet) if i do have to do this then how can i do[/color]
a[color=blue]
> | > | search
> | > | > of
> | > | > | all users in a domain?
> | > | > |
> | > | > | I would also like to be able to Enable or Disable a account from
> my
> | > | > | application (This is Account Lockout and Account Disabled).
> | > | > |
> | > | > | thanks for any help anyone can offer.
> | > | > |
> | > | > | Arran
> | > | > |
> | > | > |
> | > | > |
> | > | >
> | > |
> | > |
> | > |
> | >
> |
> |
> |
>[/color]

re: ADSI Account Lockout

Jeffrey,
[color=blue]
> Anything wrong with doing this?[/color]
Yes,
- usr.Properties["AccountExpires"].Value doesn't contain a DateTime reference but a COM interface pointer to a Largeinteger object
(two 32 bit entities).
- the Lagerinteger value returned contains a date in Fileformat not DateTime format, so you need to convert it.
- (-1) is indeed an invalid DateTime value but it's not invalid as FileTime value, so you need to take care when reading the
property and only convert to DateTime when it contains a valid DateTime date.
Herewith is a sample how to set the "account never expires" property, it also shows you how to display adate from this property.
Willy.




using System;
using System.DirectoryServices;
using System.Runtime.InteropServices;
using activedsnet;
class Tester
{
public static void Main()
{
LargeInteger li;
DirectoryEntry userAccount;
using(userAccount = new DirectoryEntry("LDAP://Somehost/CN=Users,DC=xxx,DC=yyy,DC=zzz")) {
DirectorySearcher mySearcher = new DirectorySearcher(userAccount);
mySearcher.Filter = "(samAccountName=denoyette)";
mySearcher.PropertiesToLoad.Add("samAccountName");
mySearcher.PropertiesToLoad.Add("accountExpires");
SearchResult myResult;
myResult = mySearcher.FindOne();
userAccount = new DirectoryEntry(myResult.Path);
PropertyCollection pcoll = userAccount.Properties;
// PropertyValueCollection cointains a COM interface pointer (ILargeInteger)
if(Marshal.IsComObject(pcoll["accountExpires"].Value))
Console.WriteLine("\t " + pcoll["accountExpires"].Value);
// Cast it to the right Type
li = pcoll["accountExpires"].Value as LargeInteger;
long date = (((long)(li.HighPart) << 32) + (long) li.LowPart);
if((li.HighPart == -1) && (li.LowPart == -1)) {
Console.WriteLine("Account never expires");
}
else {
// Valid date convert to DateTime format
// Note that this date is one later than the date displayd in the Directory Users and Computers MMC
string dt = DateTime.FromFileTime(date).ToString();
Console.WriteLine("DATE = {0:D}" ,dt);
}

// Now set "account never expires"
li.HighPart = -1;
li.LowPart = -1;
pcoll["accountExpires"].Value = li;
userAccount.CommitChanges();
}
Marshal.ReleaseComObject(li);
}
}
// Use tlbimp to create the IA activedsnet.dll (or whatever name you choose) from activeds.tlb
// Compile with : csc /r:activedsnet.dll ad3c.cs

Willy.

""Jeffrey Tan[MSFT]"" <v-jetan@online.microsoft.com> wrote in message news:DFn7L5EnDHA.2808@cpmsftngxa06.phx.gbl...[color=blue]
>
> Hi Peter,
>
> In .Net, when you use DirectoryEntry to disable AccountExpires, I think you
> can just set its value to -1, no need to convert -1 to DateTime object.
> Because, the Value of PropertyValueCollection is just a object.
>
> Something like this:
> DirectoryEntry usr = new DirectoryEntry("LDAP://CN=Jeff smith, OU=Sales,
> DC=Fabrikam, DC=Com")
> DateTime dt = (DateTime) usr.Properties["AccountExpires"].Value;
> usr.Properties["AccountExpires"].Value = -1;
> usr.CommitChanges();
>
> Anything wrong with doing this?
>
> Best regards,
> Jeffrey Tan
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
> This posting is provided "as is" with no warranties and confers no rights.
>
> --------------------
> | Subject: Re: ADSI Account Lockout
> | From: Peter Koen <koen-newsreply&snusnu.at>
> | References: <#m2xLdZmDHA.2676@TK2MSFTNGP11.phx.gbl>
> <#HAV#kfmDHA.1772@cpmsftngxa06.phx.gbl>
> <#ipErnlmDHA.988@TK2MSFTNGP10.phx.gbl>
> <7Nh#KWsmDHA.1544@cpmsftngxa06.phx.gbl>
> | Organization: Koen Electronic Media Agency
> | User-Agent: Xnews/5.04.25
> | Message-ID: <esolb2xmDHA.1740@TK2MSFTNGP12.phx.gbl>
> | Newsgroups: microsoft.public.dotnet.languages.csharp
> | Date: Sat, 25 Oct 2003 10:29:54 -0700
> | NNTP-Posting-Host: ist.doch.alles.nur.belangloses.blablabla.at
> 212.24.113.98
> | Lines: 1
> | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP12.phx.gbl
> | Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.languages.csharp:194035
> | X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
> |
> | v-jetan@online.microsoft.com ("Jeffrey Tan[MSFT]") wrote in
> | news:7Nh#KWsmDHA.1544@cpmsftngxa06.phx.gbl:
> |
> | Hi Jeffrey,
> |
> | > If you still have anything unclear, please feel free to tell me.
> | > Have a nice weekand.
> |
> | Although I've already worked a lot with DirectyServices I'd have a
> question
> | about AccountExpiration.
> |
> | In the Platform SDK I've learned that AccountExpires is disabled if it
> has
> | the value of -1 or a DateTime value if enabled. That's fine with C++. But
> | with directoryServices I get a DateTime property and I can't set the
> value
> | to -1.
> |
> | How can I disable AccountExpires without falling back to unmanaged code
> or
> | COMInterop, P/Invoke calls?
> |
> | --
> | best regards
> |
> | Peter Koen
> | -----------------------------------
> | MCAD, CAI/R, CAI/S, CASE/RS, CAT/RS
> | http://www.kema.at
> |
>[/color]

re: ADSI Account Lockout

Thanks Willy!
That perfectly sorts out my problem with the accountExpires property!


--
------ooo---OOO---ooo------

Peter Koen - www.kema.at
MCAD CAI/RS CASE/RS IAT

------ooo---OOO---ooo------

re: ADSI Account Lockout

The enabling and disabling are working fine. However i am still having a
problem doing a search for all accounts that are disabled.

If i do a DirectoryEntry search with the following filter should it work?

"(&((objectClass=user)(userAccountControl="+Accoun tLockType.ACCOUNTDISABLE+"
)))"

AccountLockType.ACCOUNTDISABLE is a enum in my program which has a value of
0X0002

re: ADSI Account Lockout

Hi Arran,

I think you can refer to DirectorySearcher class, and use like this:
DirectorySearcher Searcher;
Searcher.Filter
="(&(objectCategory=person)(userAccountControl:1.2 .840.113556.1.4.803:=2))";
There is a sample in:
http://groups.yahoo.com/group/ADSIAN...es/message/531

Beside, you can find more information about Searching Active Directory in:
http://msdn.microsoft.com/library/de...us/netdir/ad/s
pecifying_other_search_options.asp
(Especially "Creating a Query Filter" section)

Hope this helps,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| From: "Arran Pearce" <arran.pearce@bacoll.ac.uk>
| References: <#m2xLdZmDHA.2676@TK2MSFTNGP11.phx.gbl>
<#HAV#kfmDHA.1772@cpmsftngxa06.phx.gbl>
<#ipErnlmDHA.988@TK2MSFTNGP10.phx.gbl>
<7Nh#KWsmDHA.1544@cpmsftngxa06.phx.gbl>
<#Qe43rxmDHA.2772@TK2MSFTNGP10.phx.gbl>
<GW8xAGFnDHA.2624@cpmsftngxa06.phx.gbl>
<eei1uaLnDHA.3700@TK2MSFTNGP11.phx.gbl>
| Subject: Re: ADSI Account Lockout
| Date: Tue, 28 Oct 2003 10:51:11 -0000
| Lines: 12
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <O4fN2DUnDHA.3316@TK2MSFTNGP11.phx.gbl>
| Newsgroups: microsoft.public.dotnet.languages.csharp
| NNTP-Posting-Host: host213-122-172-68.in-addr.btopenworld.com
213.122.172.68
| Path:
cpmsftngxa06.phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTN GP08.phx.gbl!TK2MSFTNGP11.
phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.languages.csharp:194643
| X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
|
| The enabling and disabling are working fine. However i am still having a
| problem doing a search for all accounts that are disabled.
|
| If i do a DirectoryEntry search with the following filter should it work?
|
|
"(&((objectClass=user)(userAccountControl="+Accoun tLockType.ACCOUNTDISABLE+"
| )))"
|
| AccountLockType.ACCOUNTDISABLE is a enum in my program which has a value
of
| 0X0002
|
|
|