locked
Need to now if a user is enable or disable RRS feed

  • Question

  • User210383279 posted
    I am working with active directory, but i need to now if a user is enable or disable, i am using this to run the the property of user to now wich one i need to now, but dont now wich one i need, try a lot??????
    src = New DirectoryServices.DirectorySearcher("(&(objectCategory=Person)(objectClass=user)(!userAccountControl=512)(!userAccountControl=66048))")
            src.SearchRoot = de
            src.SearchScope = DirectoryServices.SearchScope.Subtree
            For Each res In src.FindAll
                Dim ien As IDictionaryEnumerator = res.Properties.GetEnumerator

                While ien.MoveNext
    ien.Key.ToString()
    .....................
     
    i also use this:
    CInt(res.Properties("userAccountControl")(0)) = 512 Or CInt(res.Properties("userAccountControl")(0)) = 66048
    but they aren´t all
    and this:
     (!(userAccountControl:1.2.840.113556.1.4.803:=2))
    i think  have to many


    Please can you say a way to now if a user is disable or enable by asp.net or c# or wish one it the correct?


    Friday, September 9, 2005 12:58 PM

All replies

  • User1354132231 posted

    You need to check to see if the UF_ACCOUNTDISABLE flag is flipped.  The userAccountControl is a collection of flag values and it not static, so you should not hardcode it.  Only check to see if flags are flipped.  You can do this by searching, or you can do it directly with the DirectoryEntry.

    Here is a filter that does it properly:

    (userAccountControl:1.2.840.113556.1.4.803:=2)

    If you have the DirectoryEntry (that is, not searching for the users), you can check using this technique:

    const int UF_ACCOUNTDISABLE            = 0x0002;

    int flags = (int)user.Properties["userAccountControl"][0];

    if (Convert.ToBoolean(flags & UF_ACCOUNTDISABLE))
    {
       //the account is disabled
    }

    Saturday, September 10, 2005 5:42 PM
  • User210383279 posted
            Just Did this and doesnt work:

    src = New DirectoryServices.DirectorySearcher("(&(objectCategory=Person)(objectClass=user))")
         
            src.SearchRoot = de
            src.SearchScope = DirectoryServices.SearchScope.Subtree
            Dim UF_ACCOUNTDISABLE As Integer = &H2
            For Each res In src.FindAll()
                palavra = Trim(LCase(res.Properties("Name")(0)))
        
                Dim flags As Integer = CType(res.Properties("userAccountControl")(0), Integer)
                If  (Convert.ToBoolean(flags And UF_ACCOUNTDISABLE)) Then
    .............

    some are, some don´t ( Disable )
    Monday, September 12, 2005 4:32 AM
  • User1354132231 posted
    Is this Active Directory or ADAM that you are using?  I would be very surprised if you are the only person this does not work for.
    Tuesday, September 13, 2005 4:56 PM
  • User210383279 posted
    it is realy active directory, me too was very surprise because i saw the values, in CInt(res.Properties("userAccountControl")(0)) to see if was 513 or 66050 ... and some are, i try to force them in hard code, but when i speak with the personal who works with  active directory and see  users that was disable and wasnt in my list was very disapointing, try to see  the disabel users they show me in code and dont show anything, dont have value, not my lucky day, first with mailserver and now with active directory. :P oh the OU and CN are correct


            src = New DirectoryServices.DirectorySearcher("(&(objectCategory=Person)(objectClass=user))")
                  src.SearchRoot = de
            src.SearchScope = DirectoryServices.SearchScope.Subtree
            ' Dim activo As Integer = 0
            Dim UF_ACCOUNTDISABLE As Integer = &H2
            For Each res In src.FindAll()
                palavra = Trim(LCase(res.Properties("Name")(0)))
                'activo = CInt(res.Properties("userAccountControl")(0))
                Dim flags As Integer = CType(res.Properties("userAccountControl")(0), Integer)
                If Convert.ToBoolean(flags And UF_ACCOUNTDISABLE) Then
                    ien = res.Properties.GetEnumerator()
                    topRow = tbusers.NewRow 'ds.Tables("users").NewRow()
                    topRow("User Name") = res.Properties("Name")(0)
                    topRow("Type") = "User"
                    tbusers.Rows.Add(topRow)
                    flags = 0
                End If
                flags = 0
            Next



    Tuesday, September 13, 2005 5:17 PM
  • User1354132231 posted

    This would be a very inefficient search, but it would work.  There is a replication latency if you are disabling on one server and relatively immediately running this to query on another.  If you run this against the same domain controller that disables the user (or wait for replication) it will always work.

    Regardless, here is an easier method to find disabled users:

    DirectorySearcher ds = new DirectorySearcher (
         searchRoot, //root this where you want to start
        "(&(objectClass=user)(objectCategory=person)
    (userAccountControl:1.2.840.113556.1.4.803:=2)"
        );

    using (SearchResultCollection src = ds.FindAll())
    {
        foreach (SearchResult sr in src)
        {
            //these are your disabled users
        }
    }

    In VB.NET (in my best approximation):

    Dim ds as DirectorySearcher = New DirectorySearcher(
        searchRoot,
        "(&(objectClass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2)"
        )

    Dim src as SearchResultCollection

    Try
        src = ds.FindAll()
        For Each sr as SearchResult in src
            'these are disabled in here
        Next
    Finally
        src.Dispose()
    End Try

    Tuesday, September 13, 2005 5:38 PM
  • User210383279 posted
    already try (userAccountControl:1.2.840.113556.1.4.803:=2) this was the near of being with all users disable but when i saw again the users with the personal of active directory say that are missing 3 users to be correct, and i list them in code and no value is show in "userAccountControl", but are disable..... maybe is windows problem, or the people who disable the user make something wrong... dont now, oh and list 1 user who is enable, the rest is disable, getting better.... or not...
    Tuesday, September 13, 2005 5:51 PM
  • User210383279 posted
    well we have resolve the problem not by the best way, but work. We delete the user, create again, put the info correct and disable, after this run code and works perfect, the same to the user who was enable, dont was in list now .


    Thanks for your atention and your efforts.....

    Tuesday, September 13, 2005 6:10 PM
  • User-249629685 posted

    Sadly, the account disable flag of userAccountControl is a calculated flag. The only way to determine its true state is to use the WinNT: provider. Supposed to be fixed in W2K3.

    Sunday, September 25, 2005 1:36 AM
  • User1354132231 posted

    Sadly, the account disable flag of userAccountControl is a calculated flag. The only way to determine its true state is to use the WinNT: provider. Supposed to be fixed in W2K3.



    The msDs-AccountControl-Computed is the calculated flag - and it was added in W2K3 (and ADAM).  The 'userAccountControl' is not calculated and remains inaccurate for all versions when using LDAP provider.  WinNT provider works fine with this attribute.
    Wednesday, September 28, 2005 1:39 PM
  • User1965457893 posted

    I am disabling a user by doing this and it works.

    <code>

    If cbDisable.Checked Then

    ou.Properties("userAccountControl").Value = 66050

    End If

    ou.CommitChanges()

    </code>

    Is this not the best way to disable a user?

    Friday, June 2, 2006 11:54 AM
  • User1354132231 posted
    Since the 'userAccountControl' attribute is a collection of bit flags, setting a value is generally not a good idea.  You are erasing all of the other attributes on the user by doing this.  If the account was trusted (or not trusted) for delegation, you have wiped it out.

    Use bitmasking and this is not a problem.
    Friday, June 2, 2006 7:32 PM