We then use some logic to determine if the user is locked out
if they are, we try to create a User object based on their distinguishedName, and the code fails at this point:
public UserAccount(string distinguishedName)
{
_dn = distinguishedName;
//It seems .Exists does not function correctly, and returns a COMException instead of false.
try {
if (DirectoryEntry.Exists("LDAP://" + _dn))
//do something
} catch (Exception ce) {
throw new ActiveDirectoryObjectNotFoundException("User account not found: " + distinguishedName, typeof(DirectoryEntry), distinguishedName);
}
//more stuff here
}
The .exists method returns false (or rather an exception, which i catch) for any users whose OU=Disabled/Inactive Users
(i.e. distinguishedName = "CN=Lastname\, Firstname,OU=Disabled/Inactive Users,DC=oursite,DC=com")
Basically, I want to know why sAMAccountName=* returns a user, but .exists cannot find that user (is this expected behaviour for disabled users, or am i doing something wrong?)
I've actually implemented something similar to your second suggestion (I basically ignore them if their OU=Disabled/Inactive Users), but I wanted to understand more about why this is happening.
Sorry, that's not what I was referring to. The bug that microsoft confirmed is that if you search for a user that does not exist, rather than return false, the DirectoryEntry.Exists method will throw an exception.
However, if I am searching for a user that DOES exist, but is in the OU=Disabled/Inactive Users, the method still throws an exception, which I assume means that this user cannot be found (I can't be sure because of the previous bug, since the cause of the
exception is not stated). I want to know what could cause these users to be considered non-existent.
If you want to find it out if a user is locked out you can just search for lockouttime > 0 in your filter. That should return only those users who are locked out. No need to search for them all then step through each object.
irfanj
Member
10 Points
8 Posts
DirectoryEntry.Exists not working as expected
Nov 23, 2011 07:36 PM|LINK
First of all, I have read that DirectoryEntry.exists does not function correctly (http://connect.microsoft.com/VisualStudio/feedback/details/337682/directoryentry-exists-throws-exception-for-non-existent-winnt-object)
I just want to confirm that this is true, because my next question is based on that
The workaround (for us) was to enclose it in a try/catch block with the "false" code in the catch.
We use a bit of code to find all users that are locked out, and I am getting an error I don't understand
Basically, the code runs and generates the equivalent of this:
DirectorySearcher(searchRoot, ldapFilter, attributes); //DirectoryEntry searchRoot = new DirectoryEntry(); //ldapFilter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=*)) //string[] attributes = { "distinguishedName", "sAMAccountName", "msDS-User-Account-Control-Computed" };This returns all the users (as expected)
We then use some logic to determine if the user is locked out
if they are, we try to create a User object based on their distinguishedName, and the code fails at this point:
public UserAccount(string distinguishedName) { _dn = distinguishedName; //It seems .Exists does not function correctly, and returns a COMException instead of false. try { if (DirectoryEntry.Exists("LDAP://" + _dn)) //do something } catch (Exception ce) { throw new ActiveDirectoryObjectNotFoundException("User account not found: " + distinguishedName, typeof(DirectoryEntry), distinguishedName); } //more stuff here }The .exists method returns false (or rather an exception, which i catch) for any users whose OU=Disabled/Inactive Users
(i.e. distinguishedName = "CN=Lastname\, Firstname,OU=Disabled/Inactive Users,DC=oursite,DC=com")
Basically, I want to know why sAMAccountName=* returns a user, but .exists cannot find that user (is this expected behaviour for disabled users, or am i doing something wrong?)
smirnov
All-Star
23586 Points
4049 Posts
Re: DirectoryEntry.Exists not working as expected
Nov 23, 2011 08:01 PM|LINK
Why not to use
DirectoryEntry e = new DirectoryEntry("LDAP://" + _dn); if (e != null) ...?
You can also try to search for disabled users out of OU=Disabled/Inactive Users using following filter
(&(objectClass=user)(!(OU=Disabled/Inactive Users))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
irfanj
Member
10 Points
8 Posts
Re: DirectoryEntry.Exists not working as expected
Nov 24, 2011 01:27 PM|LINK
Thanks for the reply.
I've actually implemented something similar to your second suggestion (I basically ignore them if their OU=Disabled/Inactive Users), but I wanted to understand more about why this is happening.
Has anybody else had a similar problem?
Thanks
smirnov
All-Star
23586 Points
4049 Posts
Re: DirectoryEntry.Exists not working as expected
Nov 24, 2011 01:49 PM|LINK
It looks like a bug and Microsoft confirmed that.
irfanj
Member
10 Points
8 Posts
Re: DirectoryEntry.Exists not working as expected
Nov 24, 2011 02:43 PM|LINK
Sorry, that's not what I was referring to. The bug that microsoft confirmed is that if you search for a user that does not exist, rather than return false, the DirectoryEntry.Exists method will throw an exception.
However, if I am searching for a user that DOES exist, but is in the OU=Disabled/Inactive Users, the method still throws an exception, which I assume means that this user cannot be found (I can't be sure because of the previous bug, since the cause of the exception is not stated). I want to know what could cause these users to be considered non-existent.
Thanks
XiaoCheng Fa...
All-Star
17743 Points
1414 Posts
Re: DirectoryEntry.Exists not working as expected
Nov 25, 2011 08:12 AM|LINK
Hi,
What's your system platform? If you're using a later version (e.g. .Net Framework 4.0 /4.5), please report this issue to:
http://connect.microsoft.com/VisualStudio
I'm looking forward for your reply.
If you have any feedback about my replies, please contact msdnmg@microsoft.com
Microsoft One Code Framework
irfanj
Member
10 Points
8 Posts
Re: DirectoryEntry.Exists not working as expected
Nov 25, 2011 01:48 PM|LINK
Hi,
We have .NET 3.0 SP1 on Windows Server 2003 (Standard Edition).
Is there any more information you need?
Thanks
irfanj
Member
10 Points
8 Posts
Re: DirectoryEntry.Exists not working as expected
Nov 25, 2011 02:02 PM|LINK
Sorry, my mistake. We seem to have v3.0 installed (I saw this in the registry) but the actual error has the following version info at the end:
.NET Framework Version: 2.0.50727.3615; ASP.NET Version 2.0.50727.3618
gww
Contributor
2143 Points
458 Posts
Re: DirectoryEntry.Exists not working as expected
Nov 25, 2011 05:28 PM|LINK
If you want to find it out if a user is locked out you can just search for lockouttime > 0 in your filter. That should return only those users who are locked out. No need to search for them all then step through each object.
You can also filter out disabled accounts as smirnov points out