none
is it possible to lock an user's account for just some time with .NET? RRS feed

  • Question

  • Hello,

    I have a vb.NET 4.0 Web application that allows my Institute's teachers to select their classroom number then, if their students are playing games or surfing on the internet during the teaching time, to force theirs computers to switch off and to inactivate theirs accounts so they can’t log (by setting userAccountControl to 514).

    Then, once the teacher as finished his talking, he can log on on my application, choose their classroom number then click on a button to unlock the students’ accounts (by setting userAccountControl to 512).

    This app works just fine; however, as you can imagine, it happens that the teacher leaves the classroom without thinking of unlocking the student’s accounts….And every time it is me who has to do that. Just crazy.

    I’m trying to find a way to lock the students accounts just for something like 1 or 2 hours and then automatically unlocking these accounts. I found what I thought to be a nice Active Directory attribute called lockoutDuration which is said to set the amount of time a count has to be locked before unlocking it. But I can’t find it amongst my AD attributes.

    I tried looking for a WMI class to let me do this kind of thing. I didn’t find one. However, the Active Directory user properties dialog box has on the Account tab a check case to tell the system the Account is locked out…So this attribute must exist somewhere on the WMI Classes?

    I tried Looking for a PowerShell 3 script but nothing.

    I thought about creating a SQL server trigger but I need this trigger to execute some .net code not immediately but after 1h or 2, and I don’t know whether a trigger can do that (wait for a long time after it’s called before execute a code).

    Could anyone have an idea about what can be done?

    Thanks a lot,

    Have a nice day,

    Susana


    susana

    Tuesday, November 19, 2013 9:01 AM

Answers

  • The lockout duration in AD indicates how long an account is locked after a user incorrectly guesses their password.  For example it is common for a user to get 3 attempts to enter their password.  If they fail to do so then their account is locked.  The duration indicates how long before the account is unlocked again.

    I personally do not recommend that you rely on these AD properties for your app specific functionality.  You are effectively trying to use network infrastructure for app-specific functionality which is bad to me.  I'm unclear how you're managing to shut down computers and/or lock accounts via a web app so I don't have any better solution to your problem.

    The information is not available using the standard WMI classes.  It is part of the AD schema which would require custom query.  Google for "AD schema query WMI" and you can get some links on how you might go about querying AD via WMI.

    Michael Taylor
    http://msmvps.com/blogs/p3net

    Tuesday, November 19, 2013 7:10 PM
    Moderator
  • Well just in case it could be useful to someone, I found the solution. It was a tricky one!

    I created a CLR-stored procedure that uses System.DirectoryServices to activate an account. Then I called this CLR-sp from a normal stored procedure. And I created a job that uses my standard sp and is executed twice a day.

    There where several problems like for exemple, SQL Server does not allow you to update an AD attribute....So it is impossible to use UPDATE OPENQUERY on AD.....You can SELECT but not Update. Security reasons.

    I was inspired by these informations :

    http://technet.microsoft.com/en-us/library/ms131052(v=sql.105).aspx

    http://stackoverflow.com/questions/2959367/how-to-register-system-directoryservices-for-use-in-sql-clr-user-functions

    Thanks to the people who wrote it. They helped me a lot.

    Have a nice day,

    susana


    susana

    • Marked as answer by susanasusana Friday, March 21, 2014 10:58 AM
    Friday, March 21, 2014 10:57 AM

All replies

  • The lockout duration in AD indicates how long an account is locked after a user incorrectly guesses their password.  For example it is common for a user to get 3 attempts to enter their password.  If they fail to do so then their account is locked.  The duration indicates how long before the account is unlocked again.

    I personally do not recommend that you rely on these AD properties for your app specific functionality.  You are effectively trying to use network infrastructure for app-specific functionality which is bad to me.  I'm unclear how you're managing to shut down computers and/or lock accounts via a web app so I don't have any better solution to your problem.

    The information is not available using the standard WMI classes.  It is part of the AD schema which would require custom query.  Google for "AD schema query WMI" and you can get some links on how you might go about querying AD via WMI.

    Michael Taylor
    http://msmvps.com/blogs/p3net

    Tuesday, November 19, 2013 7:10 PM
    Moderator
  • Hello Michael,

    Thanks for your answer. At least I know now that the lockoutDuration attribute cannot be used for this purpose.

    My app is just using System.DirectoryServices to put the userAccountControl AD attribute to 514 (to lock an user account) or 512 (to unlock it) ; and System.Management to shut down a remote computer via the method Win32ShutDown of Win32_OperatingSystem. It’s quite easy to implement.

    Ok I’ll look at querying AD with WMI. I’ll post something if I find out a way to lock up a user account for a given time period.

    Thank you,

    Have a nice day,

    Susana


    susana

    Wednesday, November 20, 2013 7:44 AM
  • Well just in case it could be useful to someone, I found the solution. It was a tricky one!

    I created a CLR-stored procedure that uses System.DirectoryServices to activate an account. Then I called this CLR-sp from a normal stored procedure. And I created a job that uses my standard sp and is executed twice a day.

    There where several problems like for exemple, SQL Server does not allow you to update an AD attribute....So it is impossible to use UPDATE OPENQUERY on AD.....You can SELECT but not Update. Security reasons.

    I was inspired by these informations :

    http://technet.microsoft.com/en-us/library/ms131052(v=sql.105).aspx

    http://stackoverflow.com/questions/2959367/how-to-register-system-directoryservices-for-use-in-sql-clr-user-functions

    Thanks to the people who wrote it. They helped me a lot.

    Have a nice day,

    susana


    susana

    • Marked as answer by susanasusana Friday, March 21, 2014 10:58 AM
    Friday, March 21, 2014 10:57 AM