问题
So far I was able to find users in LDAP but I don't know how can I enable or disable them.
As a second question, if my account has Domain Admin rights, I will be able to enable or disable account from LDAP or not?
Note: This is about a Microsoft Active Directory running on Windows 2003.
I know that I can check active uses with:
(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))
Disabled useds:
(useraccountcontrol:1.2.840.113556.1.4.803:=2)
The question is how do I set the attribute in such way that it will not loose other binary flags inside.
回答1:
You need to use a bit of logic here. So to disable a user, you set the disable bit (2). So:
const long ADS_UF_ACCOUNTDISABLE = 0x00000002;
long userAccountControl = //currentUacValue
long newUserAccountControl = (userAccountControl | ADS_UF_ACCOUNTDISABLE);
To enable an account, we need to clear the disable bit:
long userAccountControl = //currentUacValue
long newUserAccountControl = (userAccountControl & ~ADS_UF_ACCOUNTDISABLE)
来源:https://stackoverflow.com/questions/10053269/how-can-i-enable-or-disable-an-ad-user-account-with-an-ldap-request