473,398 Members | 2,380 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > c# / c sharp > questions > useraccountcontrol

Join Bytes to post your question to a community of 473,398 software developers and data experts.

userAccountControl

RF
Hi,

I am using the DirectoryServices class in .NET and would like to find some
information regarding "userAccountControl".

I'm adding a user atttributes (C#):
user.Properties["userAccountControl"].Add(512); // account is
enabled
user.Properties["userAccountControl"].Add(514); // account is
disabled

I stumbled across these values while enumerating other preloaded users.
Where can I find other values to set for "userAccountControl".

Also, how can I do the following (correct me if I wrong)
user.Properties["accountExpires"].Add(new Date()); // is this right?
user.Properties["logonHours"}.Add(new Time()); // is this right?
user.Properties["accountLocked"].Add(true); // is this right?

Also, to reset the password of a user, do I call the setpassword again?
user.Invoke("SetPassword",new object[]{password});
Thanks a million,

Randy F.
Nov 15 '05 #1
7 17860
RF
Thank Joe for your help.

For the "accountLocked", what I meant was how I can programmatically lock
and unlock an account thru DirectoryServices.

TIA,
Randy

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:uR**************@TK2MSFTNGP10.phx.gbl...
The userAccountControl enum values are defined here:

http://msdn.microsoft.com/library/de...asp?frame=true
You can create your own enum in C#, set the values directly or import the
actual enum type from the activeds.dll COM object by setting a reference to it or using tlbimp.

Here is a creating users sample for reference:

http://msdn.microsoft.com/library/de...asp?frame=true
Make sure you call CommitChanges on a new object before trying to call
SetPassword for the first time and make sure you have SSL set up correctly
on your DC to avoid having problems with this method as SetPassword wants a 128 bit SSL connection under the hood as it primary protocol choice.

http://msdn.microsoft.com/library/de...asp?frame=true http://msdn.microsoft.com/library/de...asp?frame=true
Regarding setting accountExpires, that is an INTEGER8 AD datatype, so it is not set with a date value. This shows how to manipulate them:

http://msdn.microsoft.com/library/de...asp?frame=true
Note that INTEGER8 types that contain dates are actually stored as Windows
FileTime structures, so you can use the .NET DateTime.FromFileTime method to convert them directly.

logonHours is a binary (octet string) data type, so you need to pass in the appropriate byte array to set that value. I'm not sure what the syntax for that is.

accountLocked is not an AD attribute (at least in my schema).

HTH,

Joe K.
"RF" <rf@someemail.com> wrote in message
news:uM**************@TK2MSFTNGP11.phx.gbl...
Hi,

I am using the DirectoryServices class in .NET and would like to find some information regarding "userAccountControl".

I'm adding a user atttributes (C#):
user.Properties["userAccountControl"].Add(512); // account is
enabled
user.Properties["userAccountControl"].Add(514); // account is
disabled

I stumbled across these values while enumerating other preloaded users.
Where can I find other values to set for "userAccountControl".

Also, how can I do the following (correct me if I wrong)
user.Properties["accountExpires"].Add(new Date()); // is this

right?
user.Properties["logonHours"}.Add(new Time()); // is this right?
user.Properties["accountLocked"].Add(true); // is this right?

Also, to reset the password of a user, do I call the setpassword again?
user.Invoke("SetPassword",new object[]{password});
Thanks a million,

Randy F.


Nov 15 '05 #2
Gotcha. You need to set the ADS_UF_LOCKOUT flag in userAccountControl
enumerated value to "on". That will cause the account to be locked (or
unlocked for unset).

Joe K.

"RF" <rf@someemail.com> wrote in message
news:Ox*************@TK2MSFTNGP12.phx.gbl...
Thank Joe for your help.

For the "accountLocked", what I meant was how I can programmatically lock
and unlock an account thru DirectoryServices.

TIA,
Randy

Nov 15 '05 #3
Correction: See Richard Mueller's post in microsoft.public.adsi.general
today under "WinNT-provider doesn't use supplied credentials". I believe
that flag doesn't actually work correctly and you need to do something
fancier. For some reason I always forget this because I never do this
programmatically.

Sorry,

Joe K.

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:%2****************@TK2MSFTNGP11.phx.gbl...
Gotcha. You need to set the ADS_UF_LOCKOUT flag in userAccountControl
enumerated value to "on". That will cause the account to be locked (or
unlocked for unset).

Joe K.

"RF" <rf@someemail.com> wrote in message
news:Ox*************@TK2MSFTNGP12.phx.gbl...
Thank Joe for your help.

For the "accountLocked", what I meant was how I can programmatically lock and unlock an account thru DirectoryServices.

TIA,
Randy


Nov 15 '05 #4
RF
Thanks again,

Randy
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:Or**************@TK2MSFTNGP11.phx.gbl...
Correction: See Richard Mueller's post in microsoft.public.adsi.general
today under "WinNT-provider doesn't use supplied credentials". I believe
that flag doesn't actually work correctly and you need to do something
fancier. For some reason I always forget this because I never do this
programmatically.

Sorry,

Joe K.

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:%2****************@TK2MSFTNGP11.phx.gbl...
Gotcha. You need to set the ADS_UF_LOCKOUT flag in userAccountControl
enumerated value to "on". That will cause the account to be locked (or
unlocked for unset).

Joe K.

"RF" <rf@someemail.com> wrote in message
news:Ox*************@TK2MSFTNGP12.phx.gbl...
Thank Joe for your help.

For the "accountLocked", what I meant was how I can programmatically lock and unlock an account thru DirectoryServices.

TIA,
Randy



Nov 15 '05 #5
Hi,

The IsAccountLocked property method (with the LDAP provider) returns the
same value whether the account is locked or not. However, this property
method can be used to unlock the account. Similarily, the userAccountControl
flag (with the mask ADS_UF_LOCKOUT = &H10) cannot be used to reveal if the
account is locked. Instead, when the account is locked out, the badPwdCount
attribute of the user object becomes equal to the domain setting for maximum
attempts (lockoutThreshold) and the lockoutTime attribute has a value
(corrsponding to the date and time the account was locked out). If the
domain lockout reset window (lockoutDuration) expires, the account is no
longer locked out, but no attribute values change for the user object
(exposed by the LDAP provider). The only way to tell if the account is still
locked out is to add the domain lockoutDuration to the user lockoutTime,
convert to a date, and compare with Now to see if the duration has expired.

If the account is unlocked manually, badPwdCount is set to 0 and lockoutTime
is set to 0. If instead, the reset duration (the domain lockoutDuration)
expires, the account is no longer locked, but badPwdCount and lockoutTime
are unchanged. However, when the user logs on successfully, both of these
attributes are set to 0.

I have just tested and I find that you can manipulate the userAccountControl
attribute (with the LDAP provider) to unlock the account. The behaviour
seems strange, but it works. As you know, if you test userAccountControl
with the bit mask you find it never changes. If you use ADSI Edit to
monitor, you see that userAccountControl never changes when the account gets
locked out, or when you unlock it. However, you can toggle the bit with
code. When the account is locked out and you toggle the ADS_UF_LOCKOUT bit
the attribute value changes and the account remains locked out. If you then
toggle the bit again, the attribute returns to it's original value, but the
account is now unlocked. Magic. Also, the badPwdCount and lockoutTime
attributes get zero'ed.

Obviously, the userAccountControl attribute has some kind of bug.

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:Or**************@TK2MSFTNGP11.phx.gbl...
Correction: See Richard Mueller's post in microsoft.public.adsi.general
today under "WinNT-provider doesn't use supplied credentials". I believe
that flag doesn't actually work correctly and you need to do something
fancier. For some reason I always forget this because I never do this
programmatically.

Sorry,

Joe K.

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:%2****************@TK2MSFTNGP11.phx.gbl...
Gotcha. You need to set the ADS_UF_LOCKOUT flag in userAccountControl
enumerated value to "on". That will cause the account to be locked (or
unlocked for unset).

Joe K.

"RF" <rf@someemail.com> wrote in message
news:Ox*************@TK2MSFTNGP12.phx.gbl...
Thank Joe for your help.

For the "accountLocked", what I meant was how I can programmatically lock and unlock an account thru DirectoryServices.

TIA,
Randy



Nov 15 '05 #6
Interesting. Thanks for the detailed investigation there. I'm going to
save that one.

Just out of curiosity, did you happen to test that on Win2K3 AD, or just
Win2K? I wonder if this is fixed or if the behavior is maintained for
backward compatibility. I don't have a Win2K3 AD to play with yet, so I
don't have an easy way to see.

Thanks again,

Joe K.

"Richard Mueller [MVP]" <rl*******@ameritech.net> wrote in message
news:OR**************@TK2MSFTNGP11.phx.gbl...
Hi,

The IsAccountLocked property method (with the LDAP provider) returns the
same value whether the account is locked or not. However, this property
method can be used to unlock the account. Similarily, the userAccountControl flag (with the mask ADS_UF_LOCKOUT = &H10) cannot be used to reveal if the
account is locked. Instead, when the account is locked out, the badPwdCount attribute of the user object becomes equal to the domain setting for maximum attempts (lockoutThreshold) and the lockoutTime attribute has a value
(corrsponding to the date and time the account was locked out). If the
domain lockout reset window (lockoutDuration) expires, the account is no
longer locked out, but no attribute values change for the user object
(exposed by the LDAP provider). The only way to tell if the account is still locked out is to add the domain lockoutDuration to the user lockoutTime,
convert to a date, and compare with Now to see if the duration has expired.
If the account is unlocked manually, badPwdCount is set to 0 and lockoutTime is set to 0. If instead, the reset duration (the domain lockoutDuration)
expires, the account is no longer locked, but badPwdCount and lockoutTime
are unchanged. However, when the user logs on successfully, both of these
attributes are set to 0.

I have just tested and I find that you can manipulate the userAccountControl attribute (with the LDAP provider) to unlock the account. The behaviour
seems strange, but it works. As you know, if you test userAccountControl
with the bit mask you find it never changes. If you use ADSI Edit to
monitor, you see that userAccountControl never changes when the account gets locked out, or when you unlock it. However, you can toggle the bit with
code. When the account is locked out and you toggle the ADS_UF_LOCKOUT bit
the attribute value changes and the account remains locked out. If you then toggle the bit again, the attribute returns to it's original value, but the account is now unlocked. Magic. Also, the badPwdCount and lockoutTime
attributes get zero'ed.

Obviously, the userAccountControl attribute has some kind of bug.

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:Or**************@TK2MSFTNGP11.phx.gbl...
Correction: See Richard Mueller's post in microsoft.public.adsi.general
today under "WinNT-provider doesn't use supplied credentials". I believe that flag doesn't actually work correctly and you need to do something
fancier. For some reason I always forget this because I never do this
programmatically.

Sorry,

Joe K.

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote in message news:%2****************@TK2MSFTNGP11.phx.gbl...
Gotcha. You need to set the ADS_UF_LOCKOUT flag in userAccountControl
enumerated value to "on". That will cause the account to be locked (or unlocked for unset).

Joe K.

"RF" <rf@someemail.com> wrote in message
news:Ox*************@TK2MSFTNGP12.phx.gbl...
> Thank Joe for your help.
>
> For the "accountLocked", what I meant was how I can programmatically

lock
> and unlock an account thru DirectoryServices.
>
> TIA,
> Randy
>



Nov 15 '05 #7
I've got W2k3, but have not yet installed it. I only tested on W2k. I don't
remember seeing in any reports that this was fixed.

Richard

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:eC**************@TK2MSFTNGP09.phx.gbl...
Interesting. Thanks for the detailed investigation there. I'm going to
save that one.

Just out of curiosity, did you happen to test that on Win2K3 AD, or just
Win2K? I wonder if this is fixed or if the behavior is maintained for
backward compatibility. I don't have a Win2K3 AD to play with yet, so I
don't have an easy way to see.

Thanks again,

Joe K.

"Richard Mueller [MVP]" <rl*******@ameritech.net> wrote in message
news:OR**************@TK2MSFTNGP11.phx.gbl...
Hi,

The IsAccountLocked property method (with the LDAP provider) returns the
same value whether the account is locked or not. However, this property
method can be used to unlock the account. Similarily, the

userAccountControl
flag (with the mask ADS_UF_LOCKOUT = &H10) cannot be used to reveal if the
account is locked. Instead, when the account is locked out, the

badPwdCount
attribute of the user object becomes equal to the domain setting for

maximum
attempts (lockoutThreshold) and the lockoutTime attribute has a value
(corrsponding to the date and time the account was locked out). If the
domain lockout reset window (lockoutDuration) expires, the account is no
longer locked out, but no attribute values change for the user object
(exposed by the LDAP provider). The only way to tell if the account is

still
locked out is to add the domain lockoutDuration to the user lockoutTime,
convert to a date, and compare with Now to see if the duration has

expired.

If the account is unlocked manually, badPwdCount is set to 0 and

lockoutTime
is set to 0. If instead, the reset duration (the domain lockoutDuration)
expires, the account is no longer locked, but badPwdCount and lockoutTime are unchanged. However, when the user logs on successfully, both of these attributes are set to 0.

I have just tested and I find that you can manipulate the

userAccountControl
attribute (with the LDAP provider) to unlock the account. The behaviour
seems strange, but it works. As you know, if you test userAccountControl
with the bit mask you find it never changes. If you use ADSI Edit to
monitor, you see that userAccountControl never changes when the account

gets
locked out, or when you unlock it. However, you can toggle the bit with
code. When the account is locked out and you toggle the ADS_UF_LOCKOUT bit the attribute value changes and the account remains locked out. If you

then
toggle the bit again, the attribute returns to it's original value, but

the
account is now unlocked. Magic. Also, the badPwdCount and lockoutTime
attributes get zero'ed.

Obviously, the userAccountControl attribute has some kind of bug.

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote in message news:Or**************@TK2MSFTNGP11.phx.gbl...
Correction: See Richard Mueller's post in microsoft.public.adsi.general today under "WinNT-provider doesn't use supplied credentials". I

believe that flag doesn't actually work correctly and you need to do something
fancier. For some reason I always forget this because I never do this
programmatically.

Sorry,

Joe K.

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote in message news:%2****************@TK2MSFTNGP11.phx.gbl...
> Gotcha. You need to set the ADS_UF_LOCKOUT flag in userAccountControl > enumerated value to "on". That will cause the account to be locked (or > unlocked for unset).
>
> Joe K.
>
> "RF" <rf@someemail.com> wrote in message
> news:Ox*************@TK2MSFTNGP12.phx.gbl...
> > Thank Joe for your help.
> >
> > For the "accountLocked", what I meant was how I can programmatically lock
> > and unlock an account thru DirectoryServices.
> >
> > TIA,
> > Randy
> >
>
>



Nov 15 '05 #8
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
DirectoryServices name space
by: Wayne Taylor | last post by:
Hello all I'm trying to write a liitle application to add users to AD, when I'm trying to add a user and a group (example code from the SDK)..... I get the following error: A constraint...
.NET Framework
0
How do you prgramatically determine whether AD accounts are disabled or enabled?
by: Dave | last post by:
How do I programatically read the enabled or disabled status of accounts? Have read the msdn article: http://msdn.microsoft.com/library/default.asp? url=/library/en-...
.NET Framework
0
Vb.net active directory User.Properties("UserAccountControl").Item
by: fatp | last post by:
Is there a place with all the description of the User.Properties("UserAccountControl").item ... I'm retriving a lot of code and I want to know what they mean. Thanks a lot
.NET Framework
14
ADSI Account Lockout
by: Arran Pearce | last post by:
Hi, I am looking for a way to use System.DirectoryServices to find all users on a domain whos accounts are either locked out or disabled. I have used ADSIEdit and the mmc schema add-in to try...
C# / C Sharp
3
How do I programatically determine the enabled or disabled status of AD accounts
by: dave | last post by:
How do I programatically determine the enabled or disabled status of AD accounts? I have queried the userAccountControl key, but all I get back is an int, and it seems to be the same for enabled...
C# / C Sharp
0
Using Directory Services saves some settings and not others
by: Shawn Melton | last post by:
#Region "Imports Imports ADSSECURITYLi Imports System.Diagnostic Imports Scriptin Imports ActiveD Imports System.DirectoryService Imports System.Configuration.ConfigurationSetting Imports...
ASP.NET
1
Acoount disabled or not
by: Günther Rühmann | last post by:
Hi, can anyone give me some code how to query wheather a AD account is disabled or not? I´d like to use DirectoryServicesEntry object. Thanks Guenther
Visual Basic .NET
1
index was out of range
by: Hashim Ismail | last post by:
Hi; I am quering Active Directory and putting the results of users in the listbox. Then the user can click on the listbox which should populate the textboxes with the fields from AD, which works...
Visual Basic .NET
3
reading userAccountControl flags
by: Morten | last post by:
Hi! I'm trying to determine if an AD user has the "Password never expires" flag set. I've only been able to find some vb script examples that show how to do this but I haven't been able to...
C# / C Sharp
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!