How to lock out a user in ActiveDirectory with C#

Hi,
I can find plenty of code on the internet on how to check whether an account is locked out or not, and how to unlock an account, but no code on how to lock an active directory account with C# code.
Some say it is prohibited for security reasons, some say its possible.

My code for unlocking is easy.
Can it be done, and if yes, how?
.
.
DirectoryEntry deResult = result.GetDirectoryEntry();
deResult.Properties["LockOutTime"].Value = 0;
deResult.CommitChanges();

Open in new window

uhm179Asked:
Who is Participating?
 
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

If you're using IsAccountLocked you might want to be aware of this:

http://msdn.microsoft.com/en-us/library/aa746383.aspx

And therefore this:

http://msdn.microsoft.com/en-us/library/aa746533(VS.85).aspx

Which, unfortunately, includes the following snippet:

> Attempting to set the IsAccountLocked property to TRUE will fail. Only the system can lock an account.

Depending on why you need to do this, it would seem more appropriate to disable the account and possibly reset the password.

Chris
0
 
Anurag ThakurTechnical ManagerCommented:
is this link of any help as it shows a lot of operations which can be done on active directory
http://www.codeproject.com/KB/system/everythingInAD.aspx?fid=399045&df=90&mpp=25&noise=3&sort=Position&view=Quick&fr=151
0
 
uhm179Author Commented:
I've stumbled across this page very early in my search for useful Active Directory code and theres this section about account locking and unlocking. Copy paste:

public bool IsLocked
{
    get { return Convert.ToBoolean(dEntry.InvokeGet("IsAccountLocked")); }
    set { dEntry.InvokeSet("IsAccountLocked", value); }
}

I've always assumed that value had to be set to a number (long), since thats the datatype that AD uses for the lockouttime attribute (in which case the page isn't really helpful), but I just realized that its a bool.

I'll have to try it out, and report back here.
0
 
uhm179Author Commented:
So I guess its not possible. I'm making a webinterface for Active Directory, so we don't need to use the admin program, and locked out status is something that would have been nice to manipulate. I'll just have to settle with only being able to unlock an account. Maybe resetting the password to a random string will get the job done (bit of an ugly hack though). Thx.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.