Problem reading Active Directory UserAccountControl property

[pillbug22]

Hi everyone-

Hopefully this is an easy one...

I'm trying to detect the status of an Active Directory user's account (disabled, password expired, locked, etc). No matter what the user's account is actually set to, it always returns that the account is normal (512, or ADS_UF_NORMAL_ACCOUNT), even though I expect a different value.

Can anyone see what I'm doing wrong so I always get 512 returned from the user's UserAccountControl property?

Thanks in advance...

Public Shared Function CheckAccountStatus(ByVal username As String) As String

		Dim rootDN As String
		Dim rootDSE As DirectoryEntry
		Dim searchRoot As DirectoryEntry
		Dim userEntry As DirectoryEntry
		Dim searcher As DirectorySearcher
		Dim results As SearchResultCollection
		Dim result As SearchResult

		Try
			'note the authenicationtypes here
			'you need to either use SecureSocketsLayer or Kerberos (Secure + Sealing)
			rootDSE = New DirectoryEntry(String.Format("LDAP://{0}/rootDSE", _dcDNS), _ADServiceAccountName, _ADServiceAccountPassword, AuthenticationTypes.Secure Or AuthenticationTypes.Sealing Or AuthenticationTypes.ServerBind)
			rootDN = DirectCast(rootDSE.Properties("defaultNamingContext").Value, String)
			searchRoot = New DirectoryEntry(String.Format("LDAP://{0}/{1}", _dcDNS, rootDN), _ADServiceAccountName, _ADServiceAccountPassword, AuthenticationTypes.Secure Or AuthenticationTypes.Sealing Or AuthenticationTypes.ServerBind)
			searcher = New DirectorySearcher(searchRoot)
			searcher.Filter = String.Format("sAMAccountName={0}", username)
			searcher.SearchScope = SearchScope.Subtree
			searcher.CacheResults = False

			'I use FindAll here because FindOne leaks memory if it does not find anything
			'in .NET 1.0 and 1.1
			results = searcher.FindAll()
			For Each result In results
				'only use this method on .NET 1.1 or higher
				'otherwise, get the adsPath value and build a new
				'DirectoryEntry with the supplied credentials
				userEntry = result.GetDirectoryEntry()
				Exit For 'this is redundant because sAMAccountName is unique in the [url="http://www.experts-exchange.com/Programming/Programming_Languages/Dot_Net/VB_DOT_NET/Q_21123504.html#"]domain[/url], but it is done for clarity
			Next

			If userEntry Is Nothing Then
				Return "User not found in this domain."
			End If

			Dim firstName, lastName As String
			Dim DisplayName As String = GetDisplayName(username, firstName, lastName)
			Dim strResult As String = String.Empty
			Dim strCallHelp As String = " - Please contact the Help Desk at xHELP (x4357) for assistance."

			Select Case userEntry.Properties("userAccountControl").Value
				Case ADS_USER_FLAG.ADS_UF_ACCOUNTDISABLE
					strResult = "Account disabled" & strCallHelp
				Case ADS_USER_FLAG.ADS_UF_LOCKOUT
					strResult = "Locked" & strCallHelp
				Case ADS_USER_FLAG.ADS_UF_NORMAL_ACCOUNT 							 ' <-- always hits this, even when I disable an account
					strResult = "OK"
				Case ADS_USER_FLAG.ADS_UF_PASSWORD_EXPIRED
					strResult = "Expired password. Please use the form below to set your new password."
				Case Else
					strResult = userEntry.Properties("userAccountControl").Value.ToString & strCallHelp
			End Select

			Return userEntry.Properties("userAccountControl").Value.ToString 			  ' <-- always returns 512

		Catch ex As System.Reflection.TargetInvocationException
			Return ex.innerexception.tostring
		Catch ex As Exception
			Return ex.InnerException.tostring
		Finally 'these prevent other memory leaks
			If Not userEntry Is Nothing Then userEntry.Dispose()
			If Not results Is Nothing Then results.Dispose()
			If Not searcher Is Nothing Then searcher.Dispose()
			If Not searchRoot Is Nothing Then searchRoot.Dispose()
			If Not rootDSE Is Nothing Then rootDSE.Dispose()
		End Try

	End Function

 

[pillbug22]

Nevermnd.

Tuens out our network was running slow, so it was just taking a while for the AD to replicate the changes I made.

 

[ph09]

Not able to use ADS_USER_FLAG

Hi,

I am not able to use ADS_USER_FLAG...properties....either I get Error:ADS_USER_FLAG not declared or i get incorrect response like even for a disabled accounts it will say "OK"

If anybody could please tell me what am i missing it will great....below is my code

Option Explicit On
Imports System.DirectoryServices
Imports ActiveDs
......
Protected Sub checkPWExpiry(ByVal user As String, ByVal pw As String, ByVal path As String)
Try
'connect as an administrator to check user's pw expiry
Dim sPath As String = path
Dim myDirectory As New DirectoryEntry(sPath, ......)
'pass the user account and password for your Enterprise admin.
Dim mySearcher As New DirectorySearcher(myDirectory)
Dim mySearchResult As SearchResult
'Build LDAP query
mySearcher.Filter = ("(&(objectClass=user)(samaccountname=" & user & "))")
mySearcher.PropertiesToLoad.Add("cn")
mySearchResult = mySearcher.FindOne()
If (mySearchResult.Equals("")) Then
'return false
Response.Write("<div align=center><b><br><font name='arial' font size='2' font color='#5a5a4b' >
2Please enter a valid Username/Password</b></font></div>")
Else
 
Dim fromEntry As DirectoryEntry = mySearchResult.GetDirectoryEntry()
Dim flag As Boolean = True
 
......
If flag Then
Dim caseResult As String
Select Case fromEntry.Properties("userAccountControl").Value
Case ADS_USER_FLAG.ADS_UF_ACCOUNTDISABLE '2
caseResult = "Account disabled"
Case ADS_USER_FLAG.ADS_UF_LOCKOUT '65536
caseResult = "Locked"
Case ADS_USER_FLAG.ADS_UF_NORMAL_ACCOUNT '512
caseResult = "Normal Account OK" ' <-- always hits this, even when I disable an account
Case ADS_USER_FLAG.ADS_UF_PASSWORD_EXPIRED '8388608
caseResult = "Expired password."
Case Else
caseResult = "None"
End Select
 
Response.Write(caseResult)
 
End If
 
fromEntry.Dispose()
End If
mySearcher.Dispose()
myDirectory.Dispose()
Catch ex As System.Exception
'do some error return here.
Response.Write("<div align=center><b><br><font name='arial' font size='2' font color='#5a5a4b' >
3Please enter a valid Username/Password</b></font></div>" & ex.Message)
End Try
End Sub