帐户的配置情况,如:
帐户已禁用,过期等。
/// <summary> /// AD中的账户选项枚举 /// </summary> /// <remarks> /// http://support.microsoft.com/?id=305144 /// </remarks> public enum UserAccessControl { [Description("将运行登录脚本")] SCRIPT = 0x0001, [Description("禁用用户帐户")] ACCOUNTDISABLE = 0x0002, [Description("需要主文件夹")] HOMEDIR_REQUIRED = 0x0008, [Description("账户已锁定")] LOCKOUT = 0x0010, [Description("不需要密码")] PASSWD_NOTREQD = 0x0020, [Description("用户不能更改密码")] PASSWD_CANT_CHANGE = 0x0040, [Description("用户可以发送加密的密码")] ENCRYPTED_TEXT_PWD_ALLOWED = 0x0080, [Description("此帐户属于其主帐户位于另一个域中的用户")] TEMP_DUPLICATE_ACCOUNT = 0x0100, [Description("默认帐户类型")] NORMAL_ACCOUNT = 0x0200, [Description("对于信任其他域的系统域,此属性允许信任该系统域的帐户")] INTERDOMAIN_TRUST_ACCOUNT = 0x0800, [Description("这是运行 Microsoft Windows NT 4.0 Workstation、Microsoft Windows NT 4.0 Server、Microsoft Windows 2000 Professional 或 Windows 2000 Server 并且属于该域的计算机的计算机帐户")] WORKSTATION_TRUST_ACCOUNT = 0x1000, [Description("这是属于该域的域控制器的计算机帐户")] SERVER_TRUST_ACCOUNT = 0x2000, [Description("该帐户上永远不会过期的密码")] DONT_EXPIRE_PASSWORD = 0x10000, [Description("MNS 登录帐户")] MNS_LOGON_ACCOUNT = 0x20000, [Description("强制用户使用智能卡登录")] SMARTCARD_REQUIRED = 0x40000, [Description("信任运行服务的服务帐户(用户或计算机帐户)进行 Kerberos 委派")] TRUSTED_FOR_DELEGATION = 0x80000, [Description("即使将服务帐户设置为信任其进行 Kerberos 委派,也不会将用户的安全上下文委派给该服务")] NOT_DELEGATED = 0x100000, [Description("将此用户限制为仅使用数据加密标准 (DES) 加密类型的密钥")] //(Windows 2000/Windows Server 2 003) USE_DES_KEY_ONLY = 0x200000, [Description("此帐户在登录时不需要进行 Kerberos 预先验证")] //(Windows 2000/Windows Server 2 003) DONT_REQ_PREAUTH = 0x400000, [Description("用户的密码已过期")] //(Windows 2000/Windows Server 2 003) PASSWORD_EXPIRED = 0x800000, [Description("允许该帐户进行委派")] //(Windows 2000/Windows Server 2 003) TRUSTED_TO_AUTH_FOR_DELEGATION = 0x1000000, } class Program { static void Main(string[] args) { //域服务器 Path : "LDAP://k2014.kxlf.com/DC=kxlf,DC=com" var usrName = "tms_s_fangju"; //查询用户的账户选项。 var errMsg = UserIsInvalidateInDomain("k2014.kxlf.com", "kxlf", "com", usrName); if (errMsg.Length > 0) { Console.WriteLine(usrName + ": " + errMsg); } } public static string UserIsInvalidateInDomain(string domainServer, string shortDomain, string domainTail, string userName) { using (var de = new DirectoryEntry()) { de.Path = string.Format(@"LDAP://{0}/CN={3},CN=Users,DC={1},DC={2}", domainServer, shortDomain, domainTail, userName); var val = Convert.ToInt32(de.Properties["userAccountControl"].Value); var invalidateVals = new UserAccessControl[] { UserAccessControl.ACCOUNTDISABLE, UserAccessControl.HOMEDIR_REQUIRED , UserAccessControl.LOCKOUT , UserAccessControl.TEMP_DUPLICATE_ACCOUNT , UserAccessControl.SMARTCARD_REQUIRED , UserAccessControl.PASSWORD_EXPIRED }; foreach (var item in invalidateVals) { if (BitContains(val, (int)item)) { var valStr = item.ToString(); var atrs = item.GetType().GetField(item.ToString()).GetCustomAttributes(typeof(DescriptionAttribute), false); if (atrs == null || atrs.Length == 0) { return item.ToString(); } else { return (atrs[0] as System.ComponentModel.DescriptionAttribute).Description; } } } } return string.Empty; } private static bool BitContains(int val, int testVal) { if ((val & testVal) == testVal) { return true; } else return false; } }