c# - Why UserPrincipal.Enabled returns different values? -
i trying determine if user account in ad enabled. use following code:
string domain = "my domain"; string group = "my security group"; string ou = "my ou"; //init context using (var cnt= new principalcontext(contexttype.domain, domain)) { //find necessary security group using (groupprincipal maingroup = groupprincipal.findbyidentity(cnt, identitytype.guid, group)) { if (maingroup != null) { //get group's members foreach (var user in maingroup.getmembers() .oftype<userprincipal>() .where(u => u.distinguishedname.contains(ou))) { //ensure info account loaded //by using findbyidentity opposed getmembers var tmpuser= userprincipal.findbyidentity(cnt, user.samaccountname); //actually use `user` variable, //as gave same result `tmpuser`. //print account info console.writeline(tmpuser.name + "\t" + tmpuser.enabled.hasvalue + "\t" + tmpuser.enabled.value); } } } }
the problem is, when run code under administrative account, real result, while when run under non-priviledged account, user.enabled
returns false
of accounts, while should true
.
the similar q&a managed find
- userprincipal.enabled returns false accounts in fact enabled?
- everything in active directory via c#.net 3.5 (using system.directoryservices.accountmanagement)
which not here.
why so? options info under non-priviledged account?
here approach: how determine if user account enabled or disabled:
private bool isactive(directoryentry de) { if (de.nativeguid == null) return false; int flags = (int)de.properties["useraccountcontrol"].value; if (!convert.toboolean(flags & 0x0002)) return true; else return false; }
same approach described in active directory objects , c#.
however when running under unpriviledged user account, useraccountcontrol
attribute null
, it's not possible determine state of account.
the workaround here use principalcontext constructor, specifying credentials of user enough priviledges access ad.
it stays unclear me, why unpriviledged user had access ad @ all, , couldn't values of account attributes. has nothing c#, , should configured in ad...
you'll need delegate permissions in active directory accounts performing ad queries. had applications work (though performing other administrative tasks on user accounts).
check here instructions on how delegate permissions(or see blockquote below).
you may referred following procedure run delegation:
- start delegation of control wizard performing following steps:
- open active directory users , computers.
- in console tree, double click domain node.
- in details menu, right click organizational unit, click delegate control, , click next.
- select users or group want delegate common administrative tasks. so, perform following steps:
- on users or groups page, click add.
- in select users, computers or groups, write names of users , groups have delegate control of organizational unit, click ok. , click next.
- assign common tasks delegate. perform following common tasks.
- on tasks delgate page, click delegate following common tasks.
- on tasks delegate page, select tasks want delegate, , click ok. click finish
for example: delegate administrator move user/computer objects, can use advance mode in ad user , computer , run delegation. should have write privilege in both ou object moving. writing new values, administrators account should have delegated values on user account (full privilege in specific ou well.
something else worth looking if accounts have useraccountcontrol attribute. i've heard accounts missing attribute may not report correctly. in scenarios attribute should set normalaccount.
Comments
Post a Comment