How do I enable or disable an AD user account with LDAP query?
So far I've managed to find users in LDAP, but I don't know how to enable or disable them.
As a second question, if my account has domain administrator rights, can I enable or disable the account from LDAP or not?
Note. This is the case for Microsoft Active Directory running on Windows 2003.
I know that I can check active usage with
(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))
Disabled:
(useraccountcontrol:1.2.840.113556.1.4.803:=2)
The question is how to set the attribute in such a way that it doesn't lose other binary flags internally.
+3
source to share
1 answer
You need to use a little logic here. To disable a user, you set the disable bit (2). So:
const long ADS_UF_ACCOUNTDISABLE = 0x00000002;
long userAccountControl = //currentUacValue
long newUserAccountControl = (userAccountControl | ADS_UF_ACCOUNTDISABLE);
To enable the account, we need to clear the disable bit:
long userAccountControl = //currentUacValue
long newUserAccountControl = (userAccountControl & ~ADS_UF_ACCOUNTDISABLE)
+4
source to share