How do I enable or disable an AD user account with LDAP query?

Question

How do I enable or disable an AD user account with LDAP query?

So far I've managed to find users in LDAP, but I don't know how to enable or disable them.

As a second question, if my account has domain administrator rights, can I enable or disable the account from LDAP or not?

Note. This is the case for Microsoft Active Directory running on Windows 2003.

I know that I can check active usage with

(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))

Disabled:

(useraccountcontrol:1.2.840.113556.1.4.803:=2)

The question is how to set the attribute in such a way that it doesn't lose other binary flags internally.

+3

active-directory ldap ldap-query

sorin Apr 07 12 at 9:20 am

source to share

1 answer

Brian desmond · Accepted Answer · 2012-04-08T20:19:37+0000

You need to use a little logic here. To disable a user, you set the disable bit (2). So:

const long ADS_UF_ACCOUNTDISABLE = 0x00000002;
long userAccountControl = //currentUacValue
long newUserAccountControl = (userAccountControl | ADS_UF_ACCOUNTDISABLE);

To enable the account, we need to clear the disable bit:

long userAccountControl = //currentUacValue
long newUserAccountControl = (userAccountControl & ~ADS_UF_ACCOUNTDISABLE)

How do I enable or disable an AD user account with LDAP query?

More articles: