Hi,

I am trying to check whether a User passed for LDAP Server is Enabled or not and IsLocked or not. But I am not getting its properties values, though it is showing me properties count as 42.

 

Can you please tell me these things.

1. how to get the properties values ?
2. Specially with which properties to check UserEnabled or Locked out ?
3. how to know all property names ?
4. I am using 2003 server at present, will this code work with any OS ?

 Here is my function.

########################################################################

    Public Enum AdsUserFlags

        Script = 1

        AccountDisabled = 2

        HomeDirectoryRequired = 8

        AccountLockedOut = 16

        PasswordNotRequired = 32

        PasswordCannotChange = 64

        EncryptedTextPasswordAllowed = 128

        TempDuplicateAccount = 256

        NormalAccount = 512

        InterDomainTrustAccount = 2048

        WorkstationTrustAccount = 4096

        ServerTrustAccount = 8192

        PasswordDoesNotExpire = 65536

        MnsLogonAccount = 131072

        SmartCardRequired = 262144

        TrustedForDelegation = 524288

        AccountNotDelegated = 1048576

        UseDesKeyOnly = 2097152

        DontRequirePreauth = 4194304

        PasswordExpired = 8388608

        TrustedToAuthenticateForDelegation = 16777216

        NoAuthDataRequired = 33554432

    End Enum

 

 

    Public Function UserExists( _

        ByVal LDAPServerConnectionString As String, _

        ByVal UserName As String, _

        ByVal UserPassword As String, _

        Optional ByVal CheckIsUserAccountEnabled As Boolean = False, _

        Optional ByVal CheckIsUserAccountLocked As Boolean = False) As Boolean

 

        UserExists = False

        Dim de As New DirectoryEntry(LDAPServerConnectionString

 

        Try

 

            If UserName.Length > 0 Then

                de.Username = UserName

            End If

            If UserPassword.Length > 0 Then

                de.Password = UserPassword

            End If

 

            'This method is to validate user

            Try

                de.RefreshCache()

            Catch ex As Exception

                Return False

            End Try

 

            'msDS-User-Account-Control-Computed     'userAccountControl

            Dim userFlags As AdsUserFlags = CType(de.Properties("userAccountControl").Value, AdsUserFlags)

            MsgBox(String.Format("AdsUserFlags for {0}: {1}", de.Path, userFlags))

 

            Return True

        Catch exUser As System.DirectoryServices.DirectoryServicesCOMException

            Return False

        Catch ex As Exception

            Throw ex

        End Try

    End Function

########################################################################

 

Hi,

To check if they're disabled do this:

If (CType(de.Properties("userAccountControl").Value, Integer) and AdsUserFlags.AccountDisabled) = True Then
     ' they're disabled
End If

 To check if they're locked out:

If CType(de.Properties("lockoutTime").Value, Integer) > 0 Then

' They're Locked Out

End If

 

The lockoutTime is trickier than that.  You either need the calculation, or you need to use msDs-User-Account-Control-Computed in Windows 2003/ADAM.  You can see how it is done in Ch. 10's samples.  The links to the samples are at the top of this forum.

Per MSDN lockoutTime = 0 if they're unlocked and > 0 otherwise, so if it's > 0 then they're locked out...

In that case, the MSDN documentation is wrong.  Domain policy will actually determine lockout.  The lockoutDuration can be set to unlock an account after any amount of time (e.g. 30 mins or so), which means the account's lockoutTime does not get cleared, but the account is actually unlocked.  An account that has never been locked out does not have the lockoutTime attribute either, so you need to handle that case.  It is only in the simple case where lockoutDuration is not set that accounts are locked out until lockoutTime is set to 0.  It was this PITA that also was the rationale for the calculated msDS- attribute that does the calculation for you in Windows 2003.  Unfortunately, you need to do this yourself in 2000.

If you find that documentation, you should report it to the MSDN team to correct. 

I found that if i lock or Disable the user, then it gives me error on line "de.RefreshCache()", or even if i try to check

"CType(de.Properties("userAccountControl").Value, AdsUserFlags)" it gives me error of "Bad Username or password".

So this means that if a user is disabled or Locked out then it will not allow to connect, and we cannot check its properties as well... Is this correct ?

Because its not allowing me to use any of two those lines to check its enabled or locked out.

That is correct.

If you are using the credentials of the disabled/locked user you are checking - of course it won't work.  You should be using the credentials of a service account to check this.  Once an account is locked or disabled, its credentials are not valid to use.

Does this means that if we fail to connect, and it thows exception, we have to assume that

1. Either User does not exist

2. Either account is disabled

3. OR Account is locked out.

But Can we exactly know why it fails in this case ? I mean because account is disabled or account is locked out or because user does not exist ?

Because I have checked that in all the cases, it throws the same exception "Unknown username or bad password".

 

No.  If you simply use a service account you will know all three.  First, you search, then if you find you check lockout/disabled.

ok, you mean search using .filter method ?

So that initially i should not provide its username or password to connect, apply filter ("&((object=user)(cn=passedusername))") with this username and user .findall, and if record is found then check for those properties and then only check for "de.RefreshCache()" for all the validation checks finally at once ?

is this correct ?

 

(sAMAccountName=passedloginname)

Essentially, yes.  Your IIS server should have permission to read the AD if you run your app pool as domain service account - see FAQ.  If you are trying to authenticate users, you should view Ch. 12 code from samples. 

Hi,

Actually one more question. Can you please provide me link for this chapter, I couldnt understand what do you mean by ch.12 ?

I will read it in detail and then will try.

Thanks really for all of ur efforts.