find if user account is enabled or disabled in AD

Question

I need to find if user account is enabled or disabled in AD.

i Cant find the flag or property \"userAccountControl\". is this can be achieved using USER

Answer 1

I had not tested this answer but I believe it should work.

1) Get directory entry object using -

UserPrincipal qbeUser2 = new UserPrincipal(ctx2);
var dirEntry = qbeUser2.GetUnderlyingObject() as DirectoryEntry;

2) Then check for account disable status by -

var status = IsAccountDisabled(dirEntry);
public static bool IsAccountDisabled(DirectoryEntry user)
        {
            string Uac = "userAccountControl";
            if (user.NativeGuid == null) return false;

            if (user.Properties[Uac] != null && user.Properties[Uac].Value != null)
            {
                var userFlags = (UserFlags)user.Properties[Uac].Value;
                return userFlags.Contains(UserFlags.AccountDisabled);
            }

            return false;
        }

3) Here is the enum UserFlags -

[Flags]
public enum UserFlags
{
    // Reference - Chapter 10 (from The .NET Developer's Guide to Directory Services Programming)

    Script = 1,                                     // 0x1
    AccountDisabled = 2,                            // 0x2
    HomeDirectoryRequired = 8,                      // 0x8
    AccountLockedOut = 16,                          // 0x10
    PasswordNotRequired = 32,                       // 0x20
    PasswordCannotChange = 64,                      // 0x40
    EncryptedTextPasswordAllowed = 128,             // 0x80
    TempDuplicateAccount = 256,                     // 0x100
    NormalAccount = 512,                            // 0x200
    InterDomainTrustAccount = 2048,                 // 0x800
    WorkstationTrustAccount = 4096,                 // 0x1000
    ServerTrustAccount = 8192,                      // 0x2000
    PasswordDoesNotExpire = 65536,                  // 0x10000 (Also 66048 )
    MnsLogonAccount = 131072,                       // 0x20000
    SmartCardRequired = 262144,                     // 0x40000
    TrustedForDelegation = 524288,                  // 0x80000
    AccountNotDelegated = 1048576,                  // 0x100000
    UseDesKeyOnly = 2097152,                        // 0x200000
    DontRequirePreauth = 4194304,                   // 0x400000
    PasswordExpired = 8388608,                      // 0x800000 (Applicable only in Window 2000 and Window Server 2003)
    TrustedToAuthenticateForDelegation = 16777216,  // 0x1000000
    NoAuthDataRequired = 33554432                   // 0x2000000
}

Update

Here is the full code which is tested on AD. It worked fine in my testing.

using System;
using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;

namespace DisableUsers
{
internal class Program
{
    private static void Main()
    {
        const string sAMAccountName = "vikas"; // The sAMAccountName of AD user
        var principalContext = new PrincipalContext(ContextType.Domain, "domainNameHere", "AdminUser", "AdminPass");
        var userPrincipal = UserPrincipal.FindByIdentity(principalContext, sAMAccountName);

        if (userPrincipal != null)
        {
            var dirEntry = userPrincipal.GetUnderlyingObject() as DirectoryEntry;
            var status = IsAccountDisabled(dirEntry);
            Console.WriteLine(status ? "Account {0} is disabled." : "Account {0} is enabled.", sAMAccountName);
        }
        else
        {
            Console.WriteLine("No user found for sAMAccountName '{0}'.", sAMAccountName);
        }

        Console.ReadLine();
    }

    public static bool IsAccountDisabled(DirectoryEntry user)
    {
        const string uac = "userAccountControl";
        if (user.NativeGuid == null) return false;

        if (user.Properties[uac] != null && user.Properties[uac].Value != null)
        {
            var userFlags = (UserFlags)user.Properties[uac].Value;
            return userFlags.Contains(UserFlags.AccountDisabled);
        }

        return false;
    }
}

public static class UserFlagExtensions
{
    /// 

    /// Check if flags contains the specific user flag. This method is more efficient compared to 'HasFlag()'.
    /// 
    /// The bunch of flags
    /// The flag to look for.
    /// Return true if flag found in flags.
    public static bool Contains(this UserFlags haystack, UserFlags needle)
    {
        return (haystack & needle) == needle;
    }
}

[Flags]
public enum UserFlags
{
    Script = 1,                                     // 0x1
    AccountDisabled = 2,                            // 0x2
    HomeDirectoryRequired = 8,                      // 0x8
    AccountLockedOut = 16,                          // 0x10
    PasswordNotRequired = 32,                       // 0x20
    PasswordCannotChange = 64,                      // 0x40
    EncryptedTextPasswordAllowed = 128,             // 0x80
    TempDuplicateAccount = 256,                     // 0x100
    NormalAccount = 512,                            // 0x200
    InterDomainTrustAccount = 2048,                 // 0x800
    WorkstationTrustAccount = 4096,                 // 0x1000
    ServerTrustAccount = 8192,                      // 0x2000
    PasswordDoesNotExpire = 65536,                  // 0x10000 (Also 66048 )
    MnsLogonAccount = 131072,                       // 0x20000
    SmartCardRequired = 262144,                     // 0x40000
    TrustedForDelegation = 524288,                  // 0x80000
    AccountNotDelegated = 1048576,                  // 0x100000
    UseDesKeyOnly = 2097152,                        // 0x200000
    DontRequirePreauth = 4194304,                   // 0x400000
    PasswordExpired = 8388608,                      // 0x800000 (Applicable only in Window 2000 and Window Server 2003)
    TrustedToAuthenticateForDelegation = 16777216,  // 0x1000000
    NoAuthDataRequired = 33554432                   // 0x2000000
}
}