locked
Password Never Expires and Disabled Account RRS feed

  • Question

  • User1786607082 posted

    Hello,

     I am writing a internal site that will pull reports for our AD.  The problem I am having is how to determine if an account has the password set to never expire.  I have been looking at the UserAccountControl property but that has several options to it.  Not to mention that the options are cumulative, meaning that 512 for a normal account and 65536 for a disabled account is really 66048.  Is there a better way to figure this out?  Same type of thing with a disabled account.

     Thanks,

    Mike Lockwood

    Thursday, October 5, 2006 12:19 PM

Answers

  • User1217975830 posted

    Here's what I've been able to piece together for my apps:

    Public Function CkAcctStat(ByVal UsrAcctCtl, ByVal Key)

    '***
    ' LDAP provider does not return the following, need to use WinNT provider
    '   ADS_UF_LOCKOUT
    '   ADS_UF_PASSWD_CANT_CHANGE
    '   ADS_UF_PASSWORD_EXPIRED
    '***

      Dim objHash As New Hashtable()                          '*bit mapped values array-
      objHash.Add("ADS_UF_ACCOUNTDISABLE", &H2)                   ' Account Disabled
      objHash.Add("ADS_UF_LOCKOUT", &H10)                         ' Account Locked out
      objHash.Add("ADS_UF_PASSWD_NOTREQD", &H20)                  ' Password Not Required
      objHash.Add("ADS_UF_PASSWD_CANT_CHANGE", &H40)              ' Cannot Change Password
      objHash.Add("ADS_UF_DONT_EXPIRE_PASSWD", &H10000)           ' Password Never Expires
      objHash.Add("ADS_UF_PASSWORD_EXPIRED", &H800000)            ' Password Expired

      Dim intFLGS As System.Int64 = UsrAcctCtl.ToString
      CkAcctStat = objHash(Key) And intFLGS
      objHash = Nothing
      Return CkAcctStat
    End Function

    --snip--
    '****
    ' //msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry.path.aspx
    ' The section of the Path that identifies the provider (precedes the "://")
    ' is case-sensitive. For example, "LDAP://" or "WinNT://".
    '****
    Dim LDAPdom, NTdom As String
    LDAPdom = "LDAP://xyz.my.place.com/dc=xyz,dc=my,dc=place,dc=com"
    NTdom = "WinNT://xyz.my.place.com"
    Dim AD_UAC, NT_UAC As System.Int64     ' signed 64bit for the AccountControls

    --snip--
    '* I do LDAP searcher first
    ADSrchr.PropertiesToLoad.Add("sAMAccountName")
    ADSrchr.PropertiesToLoad.Add("userAccountControl")
    --snip--
    userid.Text = ADResult.Properties("sAMAccountName").Item(0)
    --snip--

    '* If LDAP successful, then do a WinNT call
    '* NT provider does not support Searcher & other methods
    '* Note: this slowed down the response time
    Dim NTResult As New DirectoryServices.DirectoryEntry(NTdom & "/" & userid.Text)
    If IsNothing(NTResult) Then
      ErrMsg.Text = "*** Warning: User not found using WinNT provider  *** <BR>"
    Else
      If NTResult.Properties.Contains("UserFlags") Then
        NT_UAC = NTResult.Properties("UserFlags").Item(0)
      Else
        ErrMsg.Text = "*** Error: no NT UserFlags found ***"

        Exit Sub
      End If
      NTResult.Properties = Nothing
    End If
    NTResult = Nothing

    --snip--

      AD_UAC = ADResult.Properties("userAccountControl").Item(0)

    '* I call the function with the proper "UserAccessControl" depending on
    '* the provider and a text string of the name of the item checking for
    '* will return a true or a false
      If CkAcctStat(AD_UAC, "ADS_UF_ACCOUNTDISABLE") Then
        acctstat.Text = acctstat.Text & " /Disabled <BR>"
      Else
        acctstat.Text = acctstat.Text & " /Active <BR>"
      End If

     ' does not work with LDAP - use NT provider
      If CkAcctStat(NT_UAC, "ADS_UF_LOCKOUT") Then
        acctstat.Text = acctstat.Text & " /Locked out* <BR>"
      Else
        acctstat.Text = acctstat.Text & " /not locked out* <BR>"
      End If

     ' does not work with LDAP - use NT provider
      If CkAcctStat(NT_UAC, "ADS_UF_PASSWORD_EXPIRED") Then
        pwstat.Text = pwstat.Text & " /PW has expired* <BR>"
      Else
        pwstat.Text = pwstat.Text & " /PW is active* <BR>"
      End If

     ' does not work with LDAP - use NT provider
      If CkAcctStat(NT_UAC, "ADS_UF_PASSWD_CANT_CHANGE") Then
        pwstat.Text = pwstat.Text & " /PW change is not allowed* <BR>"
      Else
        pwstat.Text = pwstat.Text & " /PW can be changed* <BR>"
      End If

      If CkAcctStat(AD_UAC, "ADS_UF_DONT_EXPIRE_PASSWD") Then
        pwstat.Text = pwstat.Text & " /PW is set to not expire <BR>"
      Else
        pwstat.Text = pwstat.Text & " /PW is allowed to expire <BR>"
      End If
    --snip--

    *

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 14, 2006 12:35 AM