locked
How to check User Enabled or Locked with LDAP Server ? RRS feed

  • Question

  • User750184344 posted

    Hi,

    I am trying to check whether a User passed for LDAP Server is Enabled or not and IsLocked or not. But I am not getting its properties values, though it is showing me properties count as 42.

     

    Can you please tell me these things.

    1. how to get the properties values ?
    2. Specially with which properties to check UserEnabled or Locked out ?
    3. how to know all property names ?
    4. I am using 2003 server at present, will this code work with any OS ?

     Here is my function.

    ########################################################################

        Public Enum AdsUserFlags

            Script = 1

            AccountDisabled = 2

            HomeDirectoryRequired = 8

            AccountLockedOut = 16

            PasswordNotRequired = 32

            PasswordCannotChange = 64

            EncryptedTextPasswordAllowed = 128

            TempDuplicateAccount = 256

            NormalAccount = 512

            InterDomainTrustAccount = 2048

            WorkstationTrustAccount = 4096

            ServerTrustAccount = 8192

            PasswordDoesNotExpire = 65536

            MnsLogonAccount = 131072

            SmartCardRequired = 262144

            TrustedForDelegation = 524288

            AccountNotDelegated = 1048576

            UseDesKeyOnly = 2097152

            DontRequirePreauth = 4194304

            PasswordExpired = 8388608

            TrustedToAuthenticateForDelegation = 16777216

            NoAuthDataRequired = 33554432

        End Enum

     

     

        Public Function UserExists( _

            ByVal LDAPServerConnectionString As String, _

            ByVal UserName As String, _

            ByVal UserPassword As String, _

            Optional ByVal CheckIsUserAccountEnabled As Boolean = False, _

            Optional ByVal CheckIsUserAccountLocked As Boolean = False) As Boolean

     

            UserExists = False

            Dim de As New DirectoryEntry(LDAPServerConnectionString

     

            Try

     

                If UserName.Length > 0 Then

                    de.Username = UserName

                End If

                If UserPassword.Length > 0 Then

                    de.Password = UserPassword

                End If

     

                'This method is to validate user

                Try

                    de.RefreshCache()

                Catch ex As Exception

                    Return False

                End Try

     

                'msDS-User-Account-Control-Computed     'userAccountControl

                Dim userFlags As AdsUserFlags = CType(de.Properties("userAccountControl").Value, AdsUserFlags)

                MsgBox(String.Format("AdsUserFlags for {0}: {1}", de.Path, userFlags))

     

                Return True

            Catch exUser As System.DirectoryServices.DirectoryServicesCOMException

                Return False

            Catch ex As Exception

                Throw ex

            End Try

        End Function

    ########################################################################

     

    Tuesday, September 19, 2006 11:17 AM

All replies

  • User1297008538 posted

    Hi,

    To check if they're disabled do this:

    If (CType(de.Properties("userAccountControl").Value, Integer) and AdsUserFlags.AccountDisabled) = True Then
         ' they're disabled
    End If
    

     To check if they're locked out:

    If CType(de.Properties("lockoutTime").Value, Integer) > 0 Then
    
    ' They're Locked Out
    
    End If
    
     
    Tuesday, September 19, 2006 11:09 PM
  • User1354132231 posted
    The lockoutTime is trickier than that.  You either need the calculation, or you need to use msDs-User-Account-Control-Computed in Windows 2003/ADAM.  You can see how it is done in Ch. 10's samples.  The links to the samples are at the top of this forum.
    Wednesday, September 20, 2006 8:39 AM
  • User1297008538 posted
    Per MSDN lockoutTime = 0 if they're unlocked and > 0 otherwise, so if it's > 0 then they're locked out...
    Wednesday, September 20, 2006 5:13 PM
  • User1354132231 posted

    In that case, the MSDN documentation is wrong.  Domain policy will actually determine lockout.  The lockoutDuration can be set to unlock an account after any amount of time (e.g. 30 mins or so), which means the account's lockoutTime does not get cleared, but the account is actually unlocked.  An account that has never been locked out does not have the lockoutTime attribute either, so you need to handle that case.  It is only in the simple case where lockoutDuration is not set that accounts are locked out until lockoutTime is set to 0.  It was this PITA that also was the rationale for the calculated msDS- attribute that does the calculation for you in Windows 2003.  Unfortunately, you need to do this yourself in 2000.

    If you find that documentation, you should report it to the MSDN team to correct. 

    Wednesday, September 20, 2006 6:00 PM
  • User750184344 posted

    I found that if i lock or Disable the user, then it gives me error on line "de.RefreshCache()", or even if i try to check

    "CType(de.Properties("userAccountControl").Value, AdsUserFlags)" it gives me error of "Bad Username or password".

    So this means that if a user is disabled or Locked out then it will not allow to connect, and we cannot check its properties as well... Is this correct ?

    Because its not allowing me to use any of two those lines to check its enabled or locked out.

    Thursday, September 21, 2006 2:46 PM
  • User1297008538 posted
    That is correct.
    Thursday, September 21, 2006 2:51 PM
  • User1354132231 posted
    If you are using the credentials of the disabled/locked user you are checking - of course it won't work.  You should be using the credentials of a service account to check this.  Once an account is locked or disabled, its credentials are not valid to use.
    Thursday, September 21, 2006 2:52 PM
  • User750184344 posted

    Does this means that if we fail to connect, and it thows exception, we have to assume that

    1. Either User does not exist

    2. Either account is disabled

    3. OR Account is locked out.

    But Can we exactly know why it fails in this case ? I mean because account is disabled or account is locked out or because user does not exist ?

    Because I have checked that in all the cases, it throws the same exception "Unknown username or bad password".

     

    Thursday, September 21, 2006 2:58 PM
  • User1354132231 posted
    No.  If you simply use a service account you will know all three.  First, you search, then if you find you check lockout/disabled.
    Thursday, September 21, 2006 3:02 PM
  • User750184344 posted

    ok, you mean search using .filter method ?

    So that initially i should not provide its username or password to connect, apply filter ("&((object=user)(cn=passedusername))") with this username and user .findall, and if record is found then check for those properties and then only check for "de.RefreshCache()" for all the validation checks finally at once ?

    is this correct ?

     

    Thursday, September 21, 2006 3:09 PM
  • User1354132231 posted

    (sAMAccountName=passedloginname)

    Essentially, yes.  Your IIS server should have permission to read the AD if you run your app pool as domain service account - see FAQ.  If you are trying to authenticate users, you should view Ch. 12 code from samples. 

    Thursday, September 21, 2006 3:19 PM
  • User750184344 posted

    Hi,

    Actually one more question. Can you please provide me link for this chapter, I couldnt understand what do you mean by ch.12 ?

    I will read it in detail and then will try.

    Thanks really for all of ur efforts.

    Friday, September 22, 2006 10:20 AM
  • User1354132231 posted
    If you download the sample code (highly recommended and linked at top of this forum), you will see it is divided into Chapters.  That is all I meant.
    Friday, September 22, 2006 10:37 AM