?
Solved

How to lock out a user in ActiveDirectory with C#

Posted on 2009-02-21
6
Medium Priority
?
3,555 Views
Last Modified: 2013-12-24
Hi,
I can find plenty of code on the internet on how to check whether an account is locked out or not, and how to unlock an account, but no code on how to lock an active directory account with C# code.
Some say it is prohibited for security reasons, some say its possible.

My code for unlocking is easy.
Can it be done, and if yes, how?
.
.
DirectoryEntry deResult = result.GetDirectoryEntry();
deResult.Properties["LockOutTime"].Value = 0;
deResult.CommitChanges();

Open in new window

0
Comment
Question by:uhm179
  • 2
4 Comments
 
LVL 26

Expert Comment

by:Anurag Thakur
ID: 23705131
is this link of any help as it shows a lot of operations which can be done on active directory
http://www.codeproject.com/KB/system/everythingInAD.aspx?fid=399045&df=90&mpp=25&noise=3&sort=Position&view=Quick&fr=151
0
 

Author Comment

by:uhm179
ID: 23707608
I've stumbled across this page very early in my search for useful Active Directory code and theres this section about account locking and unlocking. Copy paste:

public bool IsLocked
{
    get { return Convert.ToBoolean(dEntry.InvokeGet("IsAccountLocked")); }
    set { dEntry.InvokeSet("IsAccountLocked", value); }
}

I've always assumed that value had to be set to a number (long), since thats the datatype that AD uses for the lockouttime attribute (in which case the page isn't really helpful), but I just realized that its a bool.

I'll have to try it out, and report back here.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 1000 total points
ID: 23709589

If you're using IsAccountLocked you might want to be aware of this:

http://msdn.microsoft.com/en-us/library/aa746383.aspx

And therefore this:

http://msdn.microsoft.com/en-us/library/aa746533(VS.85).aspx

Which, unfortunately, includes the following snippet:

> Attempting to set the IsAccountLocked property to TRUE will fail. Only the system can lock an account.

Depending on why you need to do this, it would seem more appropriate to disable the account and possibly reset the password.

Chris
0
 

Author Closing Comment

by:uhm179
ID: 31549563
So I guess its not possible. I'm making a webinterface for Active Directory, so we don't need to use the admin program, and locked out status is something that would have been nice to manipulate. I'll just have to settle with only being able to unlock an account. Maybe resetting the password to a random string will get the job done (bit of an ugly hack though). Thx.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the most important things in an application is the query performance. This article intends to give you good tips to improve the performance of your queries.
How much do you know about the future of data centers? If you're like 50% of organizations, then it's probably not enough. Read on to get up to speed on this emerging field.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question