Remove From My Forums

Need to now if a user is enable or disable

Question
0

Sign in to vote

User210383279 posted
I am working with active directory, but i need to now if a user is enable or disable, i am using this to run the the property of user to now wich one i need to now, but dont now wich one i need, try a lot??????
src = New DirectoryServices.DirectorySearcher("(&(objectCategory=Person)(objectClass=user)(!userAccountControl=512)(!userAccountControl=66048))")
        src.SearchRoot = de
        src.SearchScope = DirectoryServices.SearchScope.Subtree
        For Each res In src.FindAll
            Dim ien As IDictionaryEnumerator = res.Properties.GetEnumerator

            While ien.MoveNext
ien.Key.ToString()
.....................

i also use this:
CInt(res.Properties("userAccountControl")(0)) = 512 Or CInt(res.Properties("userAccountControl")(0)) = 66048
but they aren´t all
and this:
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
i think have to many

Please can you say a way to now if a user is disable or enable by asp.net or c# or wish one it the correct?

Friday, September 9, 2005 12:58 PM

All replies

0

Sign in to vote

User1354132231 posted

You need to check to see if the UF_ACCOUNTDISABLE flag is flipped. The userAccountControl is a collection of flag values and it not static, so you should not hardcode it. Only check to see if flags are flipped. You can do this by searching, or you can do it directly with the DirectoryEntry.

Here is a filter that does it properly:

(userAccountControl:1.2.840.113556.1.4.803:=2)

If you have the DirectoryEntry (that is, not searching for the users), you can check using this technique:

const int UF_ACCOUNTDISABLE = 0x0002;

int flags = (int)user.Properties["userAccountControl"][0];

if (Convert.ToBoolean(flags & UF_ACCOUNTDISABLE))
{
//the account is disabled
}

Saturday, September 10, 2005 5:42 PM
0

Sign in to vote

User210383279 posted
        Just Did this and doesnt work:

src = New DirectoryServices.DirectorySearcher("(&(objectCategory=Person)(objectClass=user))")

        src.SearchRoot = de
        src.SearchScope = DirectoryServices.SearchScope.Subtree
        Dim UF_ACCOUNTDISABLE As Integer = &H2
        For Each res In src.FindAll()
            palavra = Trim(LCase(res.Properties("Name")(0)))

            Dim flags As Integer = CType(res.Properties("userAccountControl")(0), Integer)
            If (Convert.ToBoolean(flags And UF_ACCOUNTDISABLE)) Then
.............

some are, some don´t ( Disable )

Monday, September 12, 2005 4:32 AM
0

Sign in to vote

User1354132231 posted
Is this Active Directory or ADAM that you are using? I would be very surprised if you are the only person this does not work for.

Tuesday, September 13, 2005 4:56 PM
0

Sign in to vote

User210383279 posted
it is realy active directory, me too was very surprise because i saw the values, in CInt(res.Properties("userAccountControl")(0)) to see if was 513 or 66050 ... and some are, i try to force them in hard code, but when i speak with the personal who works with active directory and see users that was disable and wasnt in my list was very disapointing, try to see the disabel users they show me in code and dont show anything, dont have value, not my lucky day, first with mailserver and now with active directory. :P oh the OU and CN are correct

        src = New DirectoryServices.DirectorySearcher("(&(objectCategory=Person)(objectClass=user))")
              src.SearchRoot = de
        src.SearchScope = DirectoryServices.SearchScope.Subtree
        ' Dim activo As Integer = 0
        Dim UF_ACCOUNTDISABLE As Integer = &H2
        For Each res In src.FindAll()
            palavra = Trim(LCase(res.Properties("Name")(0)))
            'activo = CInt(res.Properties("userAccountControl")(0))
            Dim flags As Integer = CType(res.Properties("userAccountControl")(0), Integer)
            If Convert.ToBoolean(flags And UF_ACCOUNTDISABLE) Then
                ien = res.Properties.GetEnumerator()
                topRow = tbusers.NewRow 'ds.Tables("users").NewRow()
                topRow("User Name") = res.Properties("Name")(0)
                topRow("Type") = "User"
                tbusers.Rows.Add(topRow)
                flags = 0
            End If
            flags = 0
        Next

Tuesday, September 13, 2005 5:17 PM
0

Sign in to vote

User1354132231 posted

This would be a very inefficient search, but it would work. There is a replication latency if you are disabling on one server and relatively immediately running this to query on another. If you run this against the same domain controller that disables the user (or wait for replication) it will always work.

Regardless, here is an easier method to find disabled users:

DirectorySearcher ds = new DirectorySearcher (
     searchRoot, //root this where you want to start
    "(&(objectClass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2)"
    );

using (SearchResultCollection src = ds.FindAll())
{
    foreach (SearchResult sr in src)
    {
        //these are your disabled users
    }
}

In VB.NET (in my best approximation):

Dim ds as DirectorySearcher = New DirectorySearcher(
    searchRoot,
    "(&(objectClass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2)"
    )

Dim src as SearchResultCollection

Try
    src = ds.FindAll()
    For Each sr as SearchResult in src
        'these are disabled in here
    Next
Finally
    src.Dispose()
End Try

Tuesday, September 13, 2005 5:38 PM
0

Sign in to vote

User210383279 posted
already try (userAccountControl:1.2.840.113556.1.4.803:=2) this was the near of being with all users disable but when i saw again the users with the personal of active directory say that are missing 3 users to be correct, and i list them in code and no value is show in "userAccountControl", but are disable..... maybe is windows problem, or the people who disable the user make something wrong... dont now, oh and list 1 user who is enable, the rest is disable, getting better.... or not...

Tuesday, September 13, 2005 5:51 PM
0

Sign in to vote

User210383279 posted
well we have resolve the problem not by the best way, but work. We delete the user, create again, put the info correct and disable, after this run code and works perfect, the same to the user who was enable, dont was in list now .

Thanks for your atention and your efforts.....

Tuesday, September 13, 2005 6:10 PM
0

Sign in to vote

User-249629685 posted

Sadly, the account disable flag of userAccountControl is a calculated flag. The only way to determine its true state is to use the WinNT: provider. Supposed to be fixed in W2K3.

Sunday, September 25, 2005 1:36 AM
0

Sign in to vote

User1354132231 posted

Sadly, the account disable flag of userAccountControl is a calculated flag. The only way to determine its true state is to use the WinNT: provider. Supposed to be fixed in W2K3.

The msDs-AccountControl-Computed is the calculated flag - and it was added in W2K3 (and ADAM). The 'userAccountControl' is not calculated and remains inaccurate for all versions when using LDAP provider. WinNT provider works fine with this attribute.

Wednesday, September 28, 2005 1:39 PM
0

Sign in to vote

User1965457893 posted

I am disabling a user by doing this and it works.

<code>

If cbDisable.Checked Then

ou.Properties("userAccountControl").Value = 66050

End If

ou.CommitChanges()

</code>

Is this not the best way to disable a user?

Friday, June 2, 2006 11:54 AM
0

Sign in to vote

User1354132231 posted
Since the 'userAccountControl' attribute is a collection of bit flags, setting a value is generally not a good idea. You are erasing all of the other attributes on the user by doing this. If the account was trusted (or not trusted) for delegation, you have wiped it out.

Use bitmasking and this is not a problem.

Friday, June 2, 2006 7:32 PM

Asked by:

Need to now if a user is enable or disable

Question

All replies