ADSI Account Lockout

Re: ADSI Account Lockout

"Arran Pearce" <arran.pearce@b acoll.ac.uk> wrote in
news:#m2xLdZmDH A.2676@TK2MSFTN GP11.phx.gbl:
[color=blue]
> Hi,
>
> I am looking for a way to use System.Director yServices to find all
> users on a domain whos accounts are either locked out or disabled. I
> have used ADSIEdit and the mmc schema add-in to try and find
> properties for these things but have not had any luck so far. Also i
> did a search on the Platform SDK doc's. It has examples in VB and C++
> but these are not using DotNet and dont give any hint to a property
> that may be used. They seem to call a method directly on a object,
> and i am sure that method is not available as part of a DirectoryEntry
> class.
>
> I have a feeling i may need to do a Invoke as you do when you reset a
> users password from DotNet) if i do have to do this then how can i do
> a search of all users in a domain?
>
> I would also like to be able to Enable or Disable a account from my
> application (This is Account Lockout and Account Disabled).
>
> thanks for any help anyone can offer.
>
> Arran
>
>
>[/color]


When you have your DirectoryEntry with a User (ie deUser) check the
userAccountCont rol Flag Property:

deUser["userAccountCon trol"]

if the account is looked due to expiration you may want to check

deUser["accountExpires "]


--
best regards

Peter Koen
-----------------------------------
MCAD, CAI/R, CAI/S, CASE/RS, CAT/RS

RE: ADSI Account Lockout


Hi Arran,

Just as Peter said, you should use the userAccountCont rol property.
For Lockout and Disabled acount, you should refer to ADS_UF_LOCKOUT and
ADS_UF_ACCOUNTD ISABLE flag which are defined in ADS_USER_FLAG_E NUM enum.
Please refer to ADS_USER_FLAG_E NUM enum at the link below:

/ads_user_flag_e num.asp

You also can find a small sample of how to enable and disable a user acount:

s/enabling_and_di sabling_the_use r_account.asp

If you still have any questions, please feel free to let me know.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| From: "Arran Pearce" <arran.pearce@b acoll.ac.uk>
| Subject: ADSI Account Lockout
| Date: Thu, 23 Oct 2003 19:58:59 +0100
| Lines: 23
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <#m2xLdZmDHA.26 76@TK2MSFTNGP11 .phx.gbl>
| Newsgroups: microsoft.publi c.dotnet.langua ges.csharp
| NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworl d.com
213.122.124.127
| Path: cpmsftngxa06.ph x.gbl!TK2MSFTNG P08.phx.gbl!TK2 MSFTNGP11.phx.g bl
| Xref: cpmsftngxa06.ph x.gbl microsoft.publi c.dotnet.langua ges.csharp:1936 14
| X-Tomcat-NG: microsoft.publi c.dotnet.langua ges.csharp
|
| Hi,
|
| I am looking for a way to use System.Director yServices to find all users
on
| a domain whos accounts are either locked out or disabled. I have used
| ADSIEdit and the mmc schema add-in to try and find properties for these
| things but have not had any luck so far. Also i did a search on the
| Platform SDK doc's. It has examples in VB and C++ but these are not using
| DotNet and dont give any hint to a property that may be used. They seem
to
| call a method directly on a object, and i am sure that method is not
| available as part of a DirectoryEntry class.
|
| I have a feeling i may need to do a Invoke (as you do when you reset a
users
| password from DotNet) if i do have to do this then how can i do a search
of
| all users in a domain?
|
| I would also like to be able to Enable or Disable a account from my
| application (This is Account Lockout and Account Disabled).
|
| thanks for any help anyone can offer.
|
| Arran
|
|
|

Re: ADSI Account Lockout

Thanks for all your help.


""Jeffrey Tan[MSFT]"" <v-jetan@online.mi crosoft.com> wrote in message
news:%23HAV%23k fmDHA.1772@cpms ftngxa06.phx.gb l...[color=blue]
>
> Hi Arran,
>
> Just as Peter said, you should use the userAccountCont rol property.
> For Lockout and Disabled acount, you should refer to ADS_UF_LOCKOUT and
> ADS_UF_ACCOUNTD ISABLE flag which are defined in ADS_USER_FLAG_E NUM enum.
> Please refer to ADS_USER_FLAG_E NUM enum at the link below:
>[/color]
http://msdn.microsoft.com/library/de...us/netdir/adsi[color=blue]
> /ads_user_flag_e num.asp
>
> You also can find a small sample of how to enable and disable a user[/color]
acount:[color=blue]
>[/color]
http://msdn.microsoft.com/library/de...us/netdir/netd[color=blue]
> s/enabling_and_di sabling_the_use r_account.asp
>
> If you still have any questions, please feel free to let me know.
>
> Best regards,
> Jeffrey Tan
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
> This posting is provided "as is" with no warranties and confers no rights.
>
> --------------------
> | From: "Arran Pearce" <arran.pearce@b acoll.ac.uk>
> | Subject: ADSI Account Lockout
> | Date: Thu, 23 Oct 2003 19:58:59 +0100
> | Lines: 23
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> | Message-ID: <#m2xLdZmDHA.26 76@TK2MSFTNGP11 .phx.gbl>
> | Newsgroups: microsoft.publi c.dotnet.langua ges.csharp
> | NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworl d.com
> 213.122.124.127
> | Path: cpmsftngxa06.ph x.gbl!TK2MSFTNG P08.phx.gbl!TK2 MSFTNGP11.phx.g bl
> | Xref: cpmsftngxa06.ph x.gbl[/color]
microsoft.publi c.dotnet.langua ges.csharp:1936 14[color=blue]
> | X-Tomcat-NG: microsoft.publi c.dotnet.langua ges.csharp
> |
> | Hi,
> |
> | I am looking for a way to use System.Director yServices to find all users
> on
> | a domain whos accounts are either locked out or disabled. I have used
> | ADSIEdit and the mmc schema add-in to try and find properties for these
> | things but have not had any luck so far. Also i did a search on the
> | Platform SDK doc's. It has examples in VB and C++ but these are not[/color]
using[color=blue]
> | DotNet and dont give any hint to a property that may be used. They seem
> to
> | call a method directly on a object, and i am sure that method is not
> | available as part of a DirectoryEntry class.
> |
> | I have a feeling i may need to do a Invoke (as you do when you reset a
> users
> | password from DotNet) if i do have to do this then how can i do a[/color]
search[color=blue]
> of
> | all users in a domain?
> |
> | I would also like to be able to Enable or Disable a account from my
> | application (This is Account Lockout and Account Disabled).
> |
> | thanks for any help anyone can offer.
> |
> | Arran
> |
> |
> |
>[/color]

Re: ADSI Account Lockout


Hi Arran,

If you still have anything unclear, please feel free to tell me.
Have a nice weekand.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| From: "Arran Pearce" <arran.pearce@b acoll.ac.uk>
| References: <#m2xLdZmDHA.26 76@TK2MSFTNGP11 .phx.gbl>
<#HAV#kfmDHA.17 72@cpmsftngxa06 .phx.gbl>
| Subject: Re: ADSI Account Lockout
| Date: Fri, 24 Oct 2003 19:12:12 +0100
| Lines: 81
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <#ipErnlmDHA.98 8@TK2MSFTNGP10. phx.gbl>
| Newsgroups: microsoft.publi c.dotnet.langua ges.csharp
| NNTP-Posting-Host: host213-122-88-5.in-addr.btopenworl d.com 213.122.88.5
| Path: cpmsftngxa06.ph x.gbl!TK2MSFTNG P08.phx.gbl!TK2 MSFTNGP10.phx.g bl
| Xref: cpmsftngxa06.ph x.gbl microsoft.publi c.dotnet.langua ges.csharp:1938 75
| X-Tomcat-NG: microsoft.publi c.dotnet.langua ges.csharp
|
| Thanks for all your help.
|
|
| ""Jeffrey Tan[MSFT]"" <v-jetan@online.mi crosoft.com> wrote in message
| news:%23HAV%23k fmDHA.1772@cpms ftngxa06.phx.gb l...
| >
| > Hi Arran,
| >
| > Just as Peter said, you should use the userAccountCont rol property.
| > For Lockout and Disabled acount, you should refer to ADS_UF_LOCKOUT and
| > ADS_UF_ACCOUNTD ISABLE flag which are defined in ADS_USER_FLAG_E NUM enum.
| > Please refer to ADS_USER_FLAG_E NUM enum at the link below:
| >
|

| > /ads_user_flag_e num.asp
| >
| > You also can find a small sample of how to enable and disable a user
| acount:
| >
|

| > s/enabling_and_di sabling_the_use r_account.asp
| >
| > If you still have any questions, please feel free to let me know.
| >
| > Best regards,
| > Jeffrey Tan
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| > This posting is provided "as is" with no warranties and confers no
rights.
| >
| > --------------------
| > | From: "Arran Pearce" <arran.pearce@b acoll.ac.uk>
| > | Subject: ADSI Account Lockout
| > | Date: Thu, 23 Oct 2003 19:58:59 +0100
| > | Lines: 23
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | Message-ID: <#m2xLdZmDHA.26 76@TK2MSFTNGP11 .phx.gbl>
| > | Newsgroups: microsoft.publi c.dotnet.langua ges.csharp
| > | NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworl d.com
| > 213.122.124.127
| > | Path: cpmsftngxa06.ph x.gbl!TK2MSFTNG P08.phx.gbl!TK2 MSFTNGP11.phx.g bl
| > | Xref: cpmsftngxa06.ph x.gbl
| microsoft.publi c.dotnet.langua ges.csharp:1936 14
| > | X-Tomcat-NG: microsoft.publi c.dotnet.langua ges.csharp
| > |
| > | Hi,
| > |
| > | I am looking for a way to use System.Director yServices to find all
users
| > on
| > | a domain whos accounts are either locked out or disabled. I have used
| > | ADSIEdit and the mmc schema add-in to try and find properties for
these
| > | things but have not had any luck so far. Also i did a search on the
| > | Platform SDK doc's. It has examples in VB and C++ but these are not
| using
| > | DotNet and dont give any hint to a property that may be used. They
seem
| > to
| > | call a method directly on a object, and i am sure that method is not
| > | available as part of a DirectoryEntry class.
| > |
| > | I have a feeling i may need to do a Invoke (as you do when you reset a
| > users
| > | password from DotNet) if i do have to do this then how can i do a
| search
| > of
| > | all users in a domain?
| > |
| > | I would also like to be able to Enable or Disable a account from my
| > | application (This is Account Lockout and Account Disabled).
| > |
| > | thanks for any help anyone can offer.
| > |
| > | Arran
| > |
| > |
| > |
| >
|
|
|

Re: ADSI Account Lockout

In the example for enable or disable the account it has this:

int val = (int) usr.Properties["userAccountCon trol"].Value;
usr.Properties["userAccountCon trol"].Value = val | ADS_UF_ACCOUNTD ISABLE;

and

int val = (int) usr.Properties["userAccountCon trol"].Value;
usr.Properties["userAccountCon trol"].Value = val & ~ADS_UF_ACCOUNT DISABLE;

What is happening with the "val | ADS_UF_ACCOUNTD ISABLE" and "val &
~ADS_UF_ACCOUNT DISABLE"?



""Jeffrey Tan[MSFT]"" <v-jetan@online.mi crosoft.com> wrote in message
news:7Nh%23KWsm DHA.1544@cpmsft ngxa06.phx.gbl. ..[color=blue]
>
> Hi Arran,
>
> If you still have anything unclear, please feel free to tell me.
> Have a nice weekand.
>
> Best regards,
> Jeffrey Tan
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
> This posting is provided "as is" with no warranties and confers no rights.
>
> --------------------
> | From: "Arran Pearce" <arran.pearce@b acoll.ac.uk>
> | References: <#m2xLdZmDHA.26 76@TK2MSFTNGP11 .phx.gbl>
> <#HAV#kfmDHA.17 72@cpmsftngxa06 .phx.gbl>
> | Subject: Re: ADSI Account Lockout
> | Date: Fri, 24 Oct 2003 19:12:12 +0100
> | Lines: 81
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> | Message-ID: <#ipErnlmDHA.98 8@TK2MSFTNGP10. phx.gbl>
> | Newsgroups: microsoft.publi c.dotnet.langua ges.csharp
> | NNTP-Posting-Host: host213-122-88-5.in-addr.btopenworl d.com 213.122.88.5
> | Path: cpmsftngxa06.ph x.gbl!TK2MSFTNG P08.phx.gbl!TK2 MSFTNGP10.phx.g bl
> | Xref: cpmsftngxa06.ph x.gbl[/color]
microsoft.publi c.dotnet.langua ges.csharp:1938 75[color=blue]
> | X-Tomcat-NG: microsoft.publi c.dotnet.langua ges.csharp
> |
> | Thanks for all your help.
> |
> |
> | ""Jeffrey Tan[MSFT]"" <v-jetan@online.mi crosoft.com> wrote in message
> | news:%23HAV%23k fmDHA.1772@cpms ftngxa06.phx.gb l...
> | >
> | > Hi Arran,
> | >
> | > Just as Peter said, you should use the userAccountCont rol property.
> | > For Lockout and Disabled acount, you should refer to ADS_UF_LOCKOUT[/color]
and[color=blue]
> | > ADS_UF_ACCOUNTD ISABLE flag which are defined in ADS_USER_FLAG_E NUM[/color]
enum.[color=blue]
> | > Please refer to ADS_USER_FLAG_E NUM enum at the link below:
> | >
> |
>[/color]
http://msdn.microsoft.com/library/de...us/netdir/adsi[color=blue]
> | > /ads_user_flag_e num.asp
> | >
> | > You also can find a small sample of how to enable and disable a user
> | acount:
> | >
> |
>[/color]
http://msdn.microsoft.com/library/de...us/netdir/netd[color=blue]
> | > s/enabling_and_di sabling_the_use r_account.asp
> | >
> | > If you still have any questions, please feel free to let me know.
> | >
> | > Best regards,
> | > Jeffrey Tan
> | > Microsoft Online Partner Support
> | > Get Secure! - www.microsoft.com/security
> | > This posting is provided "as is" with no warranties and confers no
> rights.
> | >
> | > --------------------
> | > | From: "Arran Pearce" <arran.pearce@b acoll.ac.uk>
> | > | Subject: ADSI Account Lockout
> | > | Date: Thu, 23 Oct 2003 19:58:59 +0100
> | > | Lines: 23
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> | > | Message-ID: <#m2xLdZmDHA.26 76@TK2MSFTNGP11 .phx.gbl>
> | > | Newsgroups: microsoft.publi c.dotnet.langua ges.csharp
> | > | NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworl d.com
> | > 213.122.124.127
> | > | Path: cpmsftngxa06.ph x.gbl!TK2MSFTNG P08.phx.gbl!TK2 MSFTNGP11.phx.g bl
> | > | Xref: cpmsftngxa06.ph x.gbl
> | microsoft.publi c.dotnet.langua ges.csharp:1936 14
> | > | X-Tomcat-NG: microsoft.publi c.dotnet.langua ges.csharp
> | > |
> | > | Hi,
> | > |
> | > | I am looking for a way to use System.Director yServices to find all
> users
> | > on
> | > | a domain whos accounts are either locked out or disabled. I have[/color]
used[color=blue]
> | > | ADSIEdit and the mmc schema add-in to try and find properties for
> these
> | > | things but have not had any luck so far. Also i did a search on the
> | > | Platform SDK doc's. It has examples in VB and C++ but these are not
> | using
> | > | DotNet and dont give any hint to a property that may be used. They
> seem
> | > to
> | > | call a method directly on a object, and i am sure that method is not
> | > | available as part of a DirectoryEntry class.
> | > |
> | > | I have a feeling i may need to do a Invoke (as you do when you reset[/color]
a[color=blue]
> | > users
> | > | password from DotNet) if i do have to do this then how can i do a
> | search
> | > of
> | > | all users in a domain?
> | > |
> | > | I would also like to be able to Enable or Disable a account from my
> | > | application (This is Account Lockout and Account Disabled).
> | > |
> | > | thanks for any help anyone can offer.
> | > |
> | > | Arran
> | > |
> | > |
> | > |
> | >
> |
> |
> |
>[/color]

Re: ADSI Account Lockout

v-jetan@online.mi crosoft.com ("Jeffrey Tan[MSFT]") wrote in
news:7Nh#KWsmDH A.1544@cpmsftng xa06.phx.gbl:

Hi Jeffrey,
[color=blue]
> If you still have anything unclear, please feel free to tell me.
> Have a nice weekand.[/color]

Although I've already worked a lot with DirectyServices I'd have a question
about AccountExpirati on.

In the Platform SDK I've learned that AccountExpires is disabled if it has
the value of -1 or a DateTime value if enabled. That's fine with C++. But
with directoryServic es I get a DateTime property and I can't set the value
to -1.

How can I disable AccountExpires without falling back to unmanaged code or
COMInterop, P/Invoke calls?

--
best regards

Peter Koen
-----------------------------------
MCAD, CAI/R, CAI/S, CASE/RS, CAT/RS

Re: ADSI Account Lockout


Hi Peter,

In .Net, when you use DirectoryEntry to disable AccountExpires, I think you
can just set its value to -1, no need to convert -1 to DateTime object.
Because, the Value of PropertyValueCo llection is just a object.

Something like this:
DirectoryEntry usr = new DirectoryEntry( "LDAP://CN=Jeff smith, OU=Sales,
DC=Fabrikam, DC=Com")
DateTime dt = (DateTime) usr.Properties["AccountExpires "].Value;
usr.Properties["AccountExpires "].Value = -1;
usr.CommitChang es();

Anything wrong with doing this?

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| Subject: Re: ADSI Account Lockout
| From: Peter Koen <koen-newsreply&snusn u.at>
| References: <#m2xLdZmDHA.26 76@TK2MSFTNGP11 .phx.gbl>
<#HAV#kfmDHA.17 72@cpmsftngxa06 .phx.gbl>
<#ipErnlmDHA.98 8@TK2MSFTNGP10. phx.gbl>
<7Nh#KWsmDHA.15 44@cpmsftngxa06 .phx.gbl>
| Organization: Koen Electronic Media Agency
| User-Agent: Xnews/5.04.25
| Message-ID: <esolb2xmDHA.17 40@TK2MSFTNGP12 .phx.gbl>
| Newsgroups: microsoft.publi c.dotnet.langua ges.csharp
| Date: Sat, 25 Oct 2003 10:29:54 -0700
| NNTP-Posting-Host: ist.doch.alles. nur.belangloses .blablabla.at
212.24.113.98
| Lines: 1
| Path: cpmsftngxa06.ph x.gbl!TK2MSFTNG P08.phx.gbl!TK2 MSFTNGP12.phx.g bl
| Xref: cpmsftngxa06.ph x.gbl microsoft.publi c.dotnet.langua ges.csharp:1940 35
| X-Tomcat-NG: microsoft.publi c.dotnet.langua ges.csharp
|
| v-jetan@online.mi crosoft.com ("Jeffrey Tan[MSFT]") wrote in
| news:7Nh#KWsmDH A.1544@cpmsftng xa06.phx.gbl:
|
| Hi Jeffrey,
|
| > If you still have anything unclear, please feel free to tell me.
| > Have a nice weekand.
|
| Although I've already worked a lot with DirectyServices I'd have a
question
| about AccountExpirati on.
|
| In the Platform SDK I've learned that AccountExpires is disabled if it
has
| the value of -1 or a DateTime value if enabled. That's fine with C++. But
| with directoryServic es I get a DateTime property and I can't set the
value
| to -1.
|
| How can I disable AccountExpires without falling back to unmanaged code
or
| COMInterop, P/Invoke calls?
|
| --
| best regards
|
| Peter Koen
| -----------------------------------
| MCAD, CAI/R, CAI/S, CASE/RS, CAT/RS
| http://www.kema.at
|

Re: ADSI Account Lockout


Hi Arran,

~, |, & are the bitwise operators of C# language.
You can find ADS_UF_ACCOUNTD ISABLEa in ADS_USER_FLAG_E NUM:

/ads_user_flag_e num.asp
that ADS_UF_ACCOUNTD ISABLE= 0x0002;

0x0002's binary expression is 0000,0000,0000, 0010, so ~0x0002 is
1111,1111,1111, 1101.
val & ~ADS_UF_ACCOUNT DISABLE equals val&1111,1111,1 111,1101 which makes all
the other bits stay the same value as before, only the second bit becomes 0.
Then, when invoke CommitChanges() , .Net Framework will check second bit of
userAccountCont rol property, and 0 means enable.

Alike, val | ADS_UF_ACCOUNTD ISABLE equals valu| 0000,0000,0000, 0010 which
makes all bits stay the same, second bit becomes 1.
This makes diable the user account.

Hope I explain clear.
If you still have any unclear, please feel free to tell me.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| From: "Arran Pearce" <arran.pearce@b acoll.ac.uk>
| References: <#m2xLdZmDHA.26 76@TK2MSFTNGP11 .phx.gbl>
<#HAV#kfmDHA.17 72@cpmsftngxa06 .phx.gbl>
<#ipErnlmDHA.98 8@TK2MSFTNGP10. phx.gbl>
<7Nh#KWsmDHA.15 44@cpmsftngxa06 .phx.gbl>
| Subject: Re: ADSI Account Lockout
| Date: Sat, 25 Oct 2003 18:14:07 +0100
| Lines: 145
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <#Qe43rxmDHA.27 72@TK2MSFTNGP10 .phx.gbl>
| Newsgroups: microsoft.publi c.dotnet.langua ges.csharp
| NNTP-Posting-Host: host213-122-67-95.in-addr.btopenworl d.com 213.122.67.95
| Path: cpmsftngxa06.ph x.gbl!TK2MSFTNG P08.phx.gbl!TK2 MSFTNGP10.phx.g bl
| Xref: cpmsftngxa06.ph x.gbl microsoft.publi c.dotnet.langua ges.csharp:1940 30
| X-Tomcat-NG: microsoft.publi c.dotnet.langua ges.csharp
|
| In the example for enable or disable the account it has this:
|
| int val = (int) usr.Properties["userAccountCon trol"].Value;
| usr.Properties["userAccountCon trol"].Value = val | ADS_UF_ACCOUNTD ISABLE;
|
| and
|
| int val = (int) usr.Properties["userAccountCon trol"].Value;
| usr.Properties["userAccountCon trol"].Value = val & ~ADS_UF_ACCOUNT DISABLE;
|
| What is happening with the "val | ADS_UF_ACCOUNTD ISABLE" and "val &
| ~ADS_UF_ACCOUNT DISABLE"?
|
|
|
| ""Jeffrey Tan[MSFT]"" <v-jetan@online.mi crosoft.com> wrote in message
| news:7Nh%23KWsm DHA.1544@cpmsft ngxa06.phx.gbl. ..
| >
| > Hi Arran,
| >
| > If you still have anything unclear, please feel free to tell me.
| > Have a nice weekand.
| >
| > Best regards,
| > Jeffrey Tan
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| > This posting is provided "as is" with no warranties and confers no
rights.
| >
| > --------------------
| > | From: "Arran Pearce" <arran.pearce@b acoll.ac.uk>
| > | References: <#m2xLdZmDHA.26 76@TK2MSFTNGP11 .phx.gbl>
| > <#HAV#kfmDHA.17 72@cpmsftngxa06 .phx.gbl>
| > | Subject: Re: ADSI Account Lockout
| > | Date: Fri, 24 Oct 2003 19:12:12 +0100
| > | Lines: 81
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | Message-ID: <#ipErnlmDHA.98 8@TK2MSFTNGP10. phx.gbl>
| > | Newsgroups: microsoft.publi c.dotnet.langua ges.csharp
| > | NNTP-Posting-Host: host213-122-88-5.in-addr.btopenworl d.com
213.122.88.5
| > | Path: cpmsftngxa06.ph x.gbl!TK2MSFTNG P08.phx.gbl!TK2 MSFTNGP10.phx.g bl
| > | Xref: cpmsftngxa06.ph x.gbl
| microsoft.publi c.dotnet.langua ges.csharp:1938 75
| > | X-Tomcat-NG: microsoft.publi c.dotnet.langua ges.csharp
| > |
| > | Thanks for all your help.
| > |
| > |
| > | ""Jeffrey Tan[MSFT]"" <v-jetan@online.mi crosoft.com> wrote in message
| > | news:%23HAV%23k fmDHA.1772@cpms ftngxa06.phx.gb l...
| > | >
| > | > Hi Arran,
| > | >
| > | > Just as Peter said, you should use the userAccountCont rol property.
| > | > For Lockout and Disabled acount, you should refer to ADS_UF_LOCKOUT
| and
| > | > ADS_UF_ACCOUNTD ISABLE flag which are defined in ADS_USER_FLAG_E NUM
| enum.
| > | > Please refer to ADS_USER_FLAG_E NUM enum at the link below:
| > | >
| > |
| >
|

| > | > /ads_user_flag_e num.asp
| > | >
| > | > You also can find a small sample of how to enable and disable a user
| > | acount:
| > | >
| > |
| >
|

| > | > s/enabling_and_di sabling_the_use r_account.asp
| > | >
| > | > If you still have any questions, please feel free to let me know.
| > | >
| > | > Best regards,
| > | > Jeffrey Tan
| > | > Microsoft Online Partner Support
| > | > Get Secure! - www.microsoft.com/security
| > | > This posting is provided "as is" with no warranties and confers no
| > rights.
| > | >
| > | > --------------------
| > | > | From: "Arran Pearce" <arran.pearce@b acoll.ac.uk>
| > | > | Subject: ADSI Account Lockout
| > | > | Date: Thu, 23 Oct 2003 19:58:59 +0100
| > | > | Lines: 23
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | > | Message-ID: <#m2xLdZmDHA.26 76@TK2MSFTNGP11 .phx.gbl>
| > | > | Newsgroups: microsoft.publi c.dotnet.langua ges.csharp
| > | > | NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworl d.com
| > | > 213.122.124.127
| > | > | Path:
cpmsftngxa06.ph x.gbl!TK2MSFTNG P08.phx.gbl!TK2 MSFTNGP11.phx.g bl
| > | > | Xref: cpmsftngxa06.ph x.gbl
| > | microsoft.publi c.dotnet.langua ges.csharp:1936 14
| > | > | X-Tomcat-NG: microsoft.publi c.dotnet.langua ges.csharp
| > | > |
| > | > | Hi,
| > | > |
| > | > | I am looking for a way to use System.Director yServices to find all
| > users
| > | > on
| > | > | a domain whos accounts are either locked out or disabled. I have
| used
| > | > | ADSIEdit and the mmc schema add-in to try and find properties for
| > these
| > | > | things but have not had any luck so far. Also i did a search on
the
| > | > | Platform SDK doc's. It has examples in VB and C++ but these are
not
| > | using
| > | > | DotNet and dont give any hint to a property that may be used.
They
| > seem
| > | > to
| > | > | call a method directly on a object, and i am sure that method is
not
| > | > | available as part of a DirectoryEntry class.
| > | > |
| > | > | I have a feeling i may need to do a Invoke (as you do when you
reset
| a
| > | > users
| > | > | password from DotNet) if i do have to do this then how can i do a
| > | search
| > | > of
| > | > | all users in a domain?
| > | > |
| > | > | I would also like to be able to Enable or Disable a account from
my
| > | > | application (This is Account Lockout and Account Disabled).
| > | > |
| > | > | thanks for any help anyone can offer.
| > | > |
| > | > | Arran
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| >
|
|
|

Re: ADSI Account Lockout

v-jetan@online.mi crosoft.com ("Jeffrey Tan[MSFT]") wrote in
news:DFn7L5EnDH A.2808@cpmsftng xa06.phx.gbl:
[color=blue]
> In .Net, when you use DirectoryEntry to disable AccountExpires, I
> think you can just set its value to -1, no need to convert -1 to
> DateTime object. Because, the Value of PropertyValueCo llection is just
> a object.
>
> Something like this:
> DirectoryEntry usr = new DirectoryEntry( "LDAP://CN=Jeff smith,
> OU=Sales, DC=Fabrikam, DC=Com")
> DateTime dt = (DateTime) usr.Properties["AccountExpires "].Value;
> usr.Properties["AccountExpires "].Value = -1;
> usr.CommitChang es();
>
> Anything wrong with doing this?[/color]

Yes, there is a lot wrong with this:

1) .NET can't convert -1 to DateTime. There is no suitable conversion.
2) DirectoryServic es is implemented as a RCW on top of the ADSI, In the
warpper it tests for types. I can'T assign a value of -1 to a DateTime
Property.

Only way I could achieve this behaviour as calling the ADSI Interfaces
directly.

I think there are a few serious design flaws in the DirectoryServic es
object model. And it is very unconvinient that there is absolut no
working .NET equivalent for ADSI stuff like IUser, IComputer.

Now with win2k3 it would be the time to bring a truly managed AD
interface, don't you think so?


--
------ooo---OOO---ooo------

Peter Koen - www.kema.at
MCAD CAI/RS CASE/RS IAT

------ooo---OOO---ooo------

Re: ADSI Account Lockout

yeah i think i get it.

will give it a try asap.

again many thanks for your help.

""Jeffrey Tan[MSFT]"" <v-jetan@online.mi crosoft.com> wrote in message
news:GW8xAGFnDH A.2624@cpmsftng xa06.phx.gbl...[color=blue]
>
> Hi Arran,
>
> ~, |, & are the bitwise operators of C# language.
> You can find ADS_UF_ACCOUNTD ISABLEa in ADS_USER_FLAG_E NUM:
>[/color]
http://msdn.microsoft.com/library/de...us/netdir/adsi[color=blue]
> /ads_user_flag_e num.asp
> that ADS_UF_ACCOUNTD ISABLE= 0x0002;
>
> 0x0002's binary expression is 0000,0000,0000, 0010, so ~0x0002 is
> 1111,1111,1111, 1101.
> val & ~ADS_UF_ACCOUNT DISABLE equals val&1111,1111,1 111,1101 which makes[/color]
all[color=blue]
> the other bits stay the same value as before, only the second bit becomes[/color]
0.[color=blue]
> Then, when invoke CommitChanges() , .Net Framework will check second bit of
> userAccountCont rol property, and 0 means enable.
>
> Alike, val | ADS_UF_ACCOUNTD ISABLE equals valu| 0000,0000,0000, 0010 which
> makes all bits stay the same, second bit becomes 1.
> This makes diable the user account.
>
> Hope I explain clear.
> If you still have any unclear, please feel free to tell me.
>
> Best regards,
> Jeffrey Tan
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
> This posting is provided "as is" with no warranties and confers no rights.
>
> --------------------
> | From: "Arran Pearce" <arran.pearce@b acoll.ac.uk>
> | References: <#m2xLdZmDHA.26 76@TK2MSFTNGP11 .phx.gbl>
> <#HAV#kfmDHA.17 72@cpmsftngxa06 .phx.gbl>
> <#ipErnlmDHA.98 8@TK2MSFTNGP10. phx.gbl>
> <7Nh#KWsmDHA.15 44@cpmsftngxa06 .phx.gbl>
> | Subject: Re: ADSI Account Lockout
> | Date: Sat, 25 Oct 2003 18:14:07 +0100
> | Lines: 145
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> | Message-ID: <#Qe43rxmDHA.27 72@TK2MSFTNGP10 .phx.gbl>
> | Newsgroups: microsoft.publi c.dotnet.langua ges.csharp
> | NNTP-Posting-Host: host213-122-67-95.in-addr.btopenworl d.com[/color]
213.122.67.95[color=blue]
> | Path: cpmsftngxa06.ph x.gbl!TK2MSFTNG P08.phx.gbl!TK2 MSFTNGP10.phx.g bl
> | Xref: cpmsftngxa06.ph x.gbl[/color]
microsoft.publi c.dotnet.langua ges.csharp:1940 30[color=blue]
> | X-Tomcat-NG: microsoft.publi c.dotnet.langua ges.csharp
> |
> | In the example for enable or disable the account it has this:
> |
> | int val = (int) usr.Properties["userAccountCon trol"].Value;
> | usr.Properties["userAccountCon trol"].Value = val |[/color]
ADS_UF_ACCOUNTD ISABLE;[color=blue]
> |
> | and
> |
> | int val = (int) usr.Properties["userAccountCon trol"].Value;
> | usr.Properties["userAccountCon trol"].Value = val &[/color]
~ADS_UF_ACCOUNT DISABLE;[color=blue]
> |
> | What is happening with the "val | ADS_UF_ACCOUNTD ISABLE" and "val &
> | ~ADS_UF_ACCOUNT DISABLE"?
> |
> |
> |
> | ""Jeffrey Tan[MSFT]"" <v-jetan@online.mi crosoft.com> wrote in message
> | news:7Nh%23KWsm DHA.1544@cpmsft ngxa06.phx.gbl. ..
> | >
> | > Hi Arran,
> | >
> | > If you still have anything unclear, please feel free to tell me.
> | > Have a nice weekand.
> | >
> | > Best regards,
> | > Jeffrey Tan
> | > Microsoft Online Partner Support
> | > Get Secure! - www.microsoft.com/security
> | > This posting is provided "as is" with no warranties and confers no
> rights.
> | >
> | > --------------------
> | > | From: "Arran Pearce" <arran.pearce@b acoll.ac.uk>
> | > | References: <#m2xLdZmDHA.26 76@TK2MSFTNGP11 .phx.gbl>
> | > <#HAV#kfmDHA.17 72@cpmsftngxa06 .phx.gbl>
> | > | Subject: Re: ADSI Account Lockout
> | > | Date: Fri, 24 Oct 2003 19:12:12 +0100
> | > | Lines: 81
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> | > | Message-ID: <#ipErnlmDHA.98 8@TK2MSFTNGP10. phx.gbl>
> | > | Newsgroups: microsoft.publi c.dotnet.langua ges.csharp
> | > | NNTP-Posting-Host: host213-122-88-5.in-addr.btopenworl d.com
> 213.122.88.5
> | > | Path: cpmsftngxa06.ph x.gbl!TK2MSFTNG P08.phx.gbl!TK2 MSFTNGP10.phx.g bl
> | > | Xref: cpmsftngxa06.ph x.gbl
> | microsoft.publi c.dotnet.langua ges.csharp:1938 75
> | > | X-Tomcat-NG: microsoft.publi c.dotnet.langua ges.csharp
> | > |
> | > | Thanks for all your help.
> | > |
> | > |
> | > | ""Jeffrey Tan[MSFT]"" <v-jetan@online.mi crosoft.com> wrote in[/color]
message[color=blue]
> | > | news:%23HAV%23k fmDHA.1772@cpms ftngxa06.phx.gb l...
> | > | >
> | > | > Hi Arran,
> | > | >
> | > | > Just as Peter said, you should use the userAccountCont rol[/color]
property.[color=blue]
> | > | > For Lockout and Disabled acount, you should refer to[/color]
ADS_UF_LOCKOUT[color=blue]
> | and
> | > | > ADS_UF_ACCOUNTD ISABLE flag which are defined in ADS_USER_FLAG_E NUM
> | enum.
> | > | > Please refer to ADS_USER_FLAG_E NUM enum at the link below:
> | > | >
> | > |
> | >
> |
>[/color]
http://msdn.microsoft.com/library/de...us/netdir/adsi[color=blue]
> | > | > /ads_user_flag_e num.asp
> | > | >
> | > | > You also can find a small sample of how to enable and disable a[/color]
user[color=blue]
> | > | acount:
> | > | >
> | > |
> | >
> |
>[/color]
http://msdn.microsoft.com/library/de...us/netdir/netd[color=blue]
> | > | > s/enabling_and_di sabling_the_use r_account.asp
> | > | >
> | > | > If you still have any questions, please feel free to let me know.
> | > | >
> | > | > Best regards,
> | > | > Jeffrey Tan
> | > | > Microsoft Online Partner Support
> | > | > Get Secure! - www.microsoft.com/security
> | > | > This posting is provided "as is" with no warranties and confers no
> | > rights.
> | > | >
> | > | > --------------------
> | > | > | From: "Arran Pearce" <arran.pearce@b acoll.ac.uk>
> | > | > | Subject: ADSI Account Lockout
> | > | > | Date: Thu, 23 Oct 2003 19:58:59 +0100
> | > | > | Lines: 23
> | > | > | X-Priority: 3
> | > | > | X-MSMail-Priority: Normal
> | > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> | > | > | Message-ID: <#m2xLdZmDHA.26 76@TK2MSFTNGP11 .phx.gbl>
> | > | > | Newsgroups: microsoft.publi c.dotnet.langua ges.csharp
> | > | > | NNTP-Posting-Host: host213-122-124-127.in-addr.btopenworl d.com
> | > | > 213.122.124.127
> | > | > | Path:
> cpmsftngxa06.ph x.gbl!TK2MSFTNG P08.phx.gbl!TK2 MSFTNGP11.phx.g bl
> | > | > | Xref: cpmsftngxa06.ph x.gbl
> | > | microsoft.publi c.dotnet.langua ges.csharp:1936 14
> | > | > | X-Tomcat-NG: microsoft.publi c.dotnet.langua ges.csharp
> | > | > |
> | > | > | Hi,
> | > | > |
> | > | > | I am looking for a way to use System.Director yServices to find[/color]
all[color=blue]
> | > users
> | > | > on
> | > | > | a domain whos accounts are either locked out or disabled. I[/color]
have[color=blue]
> | used
> | > | > | ADSIEdit and the mmc schema add-in to try and find properties[/color]
for[color=blue]
> | > these
> | > | > | things but have not had any luck so far. Also i did a search on
> the
> | > | > | Platform SDK doc's. It has examples in VB and C++ but these are
> not
> | > | using
> | > | > | DotNet and dont give any hint to a property that may be used.
> They
> | > seem
> | > | > to
> | > | > | call a method directly on a object, and i am sure that method is
> not
> | > | > | available as part of a DirectoryEntry class.
> | > | > |
> | > | > | I have a feeling i may need to do a Invoke (as you do when you
> reset
> | a
> | > | > users
> | > | > | password from DotNet) if i do have to do this then how can i do[/color]
a[color=blue]
> | > | search
> | > | > of
> | > | > | all users in a domain?
> | > | > |
> | > | > | I would also like to be able to Enable or Disable a account from
> my
> | > | > | application (This is Account Lockout and Account Disabled).
> | > | > |
> | > | > | thanks for any help anyone can offer.
> | > | > |
> | > | > | Arran
> | > | > |
> | > | > |
> | > | > |
> | > | >
> | > |
> | > |
> | > |
> | >
> |
> |
> |
>[/color]

Re: ADSI Account Lockout

Jeffrey,
[color=blue]
> Anything wrong with doing this?[/color]
Yes,
- usr.Properties["AccountExpires "].Value doesn't contain a DateTime reference but a COM interface pointer to a Largeinteger object
(two 32 bit entities).
- the Lagerinteger value returned contains a date in Fileformat not DateTime format, so you need to convert it.
- (-1) is indeed an invalid DateTime value but it's not invalid as FileTime value, so you need to take care when reading the
property and only convert to DateTime when it contains a valid DateTime date.
Herewith is a sample how to set the "account never expires" property, it also shows you how to display adate from this property.
Willy.




using System;
using System.Director yServices;
using System.Runtime. InteropServices ;
using activedsnet;
class Tester
{
public static void Main()
{
LargeInteger li;
DirectoryEntry userAccount;
using(userAccou nt = new DirectoryEntry( "LDAP://Somehost/CN=Users,DC=xxx ,DC=yyy,DC=zzz" )) {
DirectorySearch er mySearcher = new DirectorySearch er(userAccount) ;
mySearcher.Filt er = "(samAccountNam e=denoyette)";
mySearcher.Prop ertiesToLoad.Ad d("samAccountNa me");
mySearcher.Prop ertiesToLoad.Ad d("accountExpir es");
SearchResult myResult;
myResult = mySearcher.Find One();
userAccount = new DirectoryEntry( myResult.Path);
PropertyCollect ion pcoll = userAccount.Pro perties;
// PropertyValueCo llection cointains a COM interface pointer (ILargeInteger)
if(Marshal.IsCo mObject(pcoll["accountExpires "].Value))
Console.WriteLi ne("\t " + pcoll["accountExpires "].Value);
// Cast it to the right Type
li = pcoll["accountExpires "].Value as LargeInteger;
long date = (((long)(li.Hig hPart) << 32) + (long) li.LowPart);
if((li.HighPart == -1) && (li.LowPart == -1)) {
Console.WriteLi ne("Account never expires");
}
else {
// Valid date convert to DateTime format
// Note that this date is one later than the date displayd in the Directory Users and Computers MMC
string dt = DateTime.FromFi leTime(date).To String();
Console.WriteLi ne("DATE = {0:D}" ,dt);
}

// Now set "account never expires"
li.HighPart = -1;
li.LowPart = -1;
pcoll["accountExpires "].Value = li;
userAccount.Com mitChanges();
}
Marshal.Release ComObject(li);
}
}
// Use tlbimp to create the IA activedsnet.dll (or whatever name you choose) from activeds.tlb
// Compile with : csc /r:activedsnet.d ll ad3c.cs

Willy.

""Jeffrey Tan[MSFT]"" <v-jetan@online.mi crosoft.com> wrote in message news:DFn7L5EnDH A.2808@cpmsftng xa06.phx.gbl...[color=blue]
>
> Hi Peter,
>
> In .Net, when you use DirectoryEntry to disable AccountExpires, I think you
> can just set its value to -1, no need to convert -1 to DateTime object.
> Because, the Value of PropertyValueCo llection is just a object.
>
> Something like this:
> DirectoryEntry usr = new DirectoryEntry( "LDAP://CN=Jeff smith, OU=Sales,
> DC=Fabrikam, DC=Com")
> DateTime dt = (DateTime) usr.Properties["AccountExpires "].Value;
> usr.Properties["AccountExpires "].Value = -1;
> usr.CommitChang es();
>
> Anything wrong with doing this?
>
> Best regards,
> Jeffrey Tan
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
> This posting is provided "as is" with no warranties and confers no rights.
>
> --------------------
> | Subject: Re: ADSI Account Lockout
> | From: Peter Koen <koen-newsreply&snusn u.at>
> | References: <#m2xLdZmDHA.26 76@TK2MSFTNGP11 .phx.gbl>
> <#HAV#kfmDHA.17 72@cpmsftngxa06 .phx.gbl>
> <#ipErnlmDHA.98 8@TK2MSFTNGP10. phx.gbl>
> <7Nh#KWsmDHA.15 44@cpmsftngxa06 .phx.gbl>
> | Organization: Koen Electronic Media Agency
> | User-Agent: Xnews/5.04.25
> | Message-ID: <esolb2xmDHA.17 40@TK2MSFTNGP12 .phx.gbl>
> | Newsgroups: microsoft.publi c.dotnet.langua ges.csharp
> | Date: Sat, 25 Oct 2003 10:29:54 -0700
> | NNTP-Posting-Host: ist.doch.alles. nur.belangloses .blablabla.at
> 212.24.113.98
> | Lines: 1
> | Path: cpmsftngxa06.ph x.gbl!TK2MSFTNG P08.phx.gbl!TK2 MSFTNGP12.phx.g bl
> | Xref: cpmsftngxa06.ph x.gbl microsoft.publi c.dotnet.langua ges.csharp:1940 35
> | X-Tomcat-NG: microsoft.publi c.dotnet.langua ges.csharp
> |
> | v-jetan@online.mi crosoft.com ("Jeffrey Tan[MSFT]") wrote in
> | news:7Nh#KWsmDH A.1544@cpmsftng xa06.phx.gbl:
> |
> | Hi Jeffrey,
> |
> | > If you still have anything unclear, please feel free to tell me.
> | > Have a nice weekand.
> |
> | Although I've already worked a lot with DirectyServices I'd have a
> question
> | about AccountExpirati on.
> |
> | In the Platform SDK I've learned that AccountExpires is disabled if it
> has
> | the value of -1 or a DateTime value if enabled. That's fine with C++. But
> | with directoryServic es I get a DateTime property and I can't set the
> value
> | to -1.
> |
> | How can I disable AccountExpires without falling back to unmanaged code
> or
> | COMInterop, P/Invoke calls?
> |
> | --
> | best regards
> |
> | Peter Koen
> | -----------------------------------
> | MCAD, CAI/R, CAI/S, CASE/RS, CAT/RS
> | http://www.kema.at
> |
>[/color]

Re: ADSI Account Lockout

Thanks Willy!
That perfectly sorts out my problem with the accountExpires property!


--
------ooo---OOO---ooo------

Peter Koen - www.kema.at
MCAD CAI/RS CASE/RS IAT

------ooo---OOO---ooo------

Re: ADSI Account Lockout

The enabling and disabling are working fine. However i am still having a
problem doing a search for all accounts that are disabled.

If i do a DirectoryEntry search with the following filter should it work?

"(&((objectClas s=user)(userAcc ountControl="+A ccountLockType. ACCOUNTDISABLE+ "
)))"

AccountLockType .ACCOUNTDISABLE is a enum in my program which has a value of
0X0002

Re: ADSI Account Lockout


Hi Arran,

I think you can refer to DirectorySearch er class, and use like this:
DirectorySearch er Searcher;
Searcher.Filter
="(&(objectCate gory=person)(us erAccountContro l:1.2.840.11355 6.1.4.803:=2))" ;
There is a sample in:


Beside, you can find more information about Searching Active Directory in:

pecifying_other _search_options .asp
(Especially "Creating a Query Filter" section)

Hope this helps,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

--------------------
| From: "Arran Pearce" <arran.pearce@b acoll.ac.uk>
| References: <#m2xLdZmDHA.26 76@TK2MSFTNGP11 .phx.gbl>
<#HAV#kfmDHA.17 72@cpmsftngxa06 .phx.gbl>
<#ipErnlmDHA.98 8@TK2MSFTNGP10. phx.gbl>
<7Nh#KWsmDHA.15 44@cpmsftngxa06 .phx.gbl>
<#Qe43rxmDHA.27 72@TK2MSFTNGP10 .phx.gbl>
<GW8xAGFnDHA.26 24@cpmsftngxa06 .phx.gbl>
<eei1uaLnDHA.37 00@TK2MSFTNGP11 .phx.gbl>
| Subject: Re: ADSI Account Lockout
| Date: Tue, 28 Oct 2003 10:51:11 -0000
| Lines: 12
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <O4fN2DUnDHA.33 16@TK2MSFTNGP11 .phx.gbl>
| Newsgroups: microsoft.publi c.dotnet.langua ges.csharp
| NNTP-Posting-Host: host213-122-172-68.in-addr.btopenworl d.com
213.122.172.68
| Path:
cpmsftngxa06.ph x.gbl!cpmsftngx a09.phx.gbl!TK2 MSFTNGP08.phx.g bl!TK2MSFTNGP11 .
phx.gbl
| Xref: cpmsftngxa06.ph x.gbl microsoft.publi c.dotnet.langua ges.csharp:1946 43
| X-Tomcat-NG: microsoft.publi c.dotnet.langua ges.csharp
|
| The enabling and disabling are working fine. However i am still having a
| problem doing a search for all accounts that are disabled.
|
| If i do a DirectoryEntry search with the following filter should it work?
|
|
"(&((objectClas s=user)(userAcc ountControl="+A ccountLockType. ACCOUNTDISABLE+ "
| )))"
|
| AccountLockType .ACCOUNTDISABLE is a enum in my program which has a value
of
| 0X0002
|
|
|