Find all blocked users in AD using C #
The code below works great for me, but I would like a list of all users blocked as opposed to specifying a specific user, can someone help me expand the scope of this code, please
using (var context = new PrincipalContext( ContextType.Domain ))
{
using (var user = UserPrincipal.FindByIdentity( context,
IdentityType.SamAccountName,
name ))
{
if (user.IsAccountLockedOut())
{
... your code here...
}
}
}
The code above works great for me, however I would like the list of all users to be blocked, not a specific user.
This is what ended up working - Thanks to all contributors.
when a user is locked out, they do not go "not locked" until they are logged in (by repeating the lock offer in the ldap lookup); so ... Using blocked qry Gives you a wide list of blocked users, which can then be narrowed down with the isaccountlockedout () method. Hello!
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.DirectoryServices;
using System.DirectoryServices.ActiveDirectory;
using System.DirectoryServices.AccountManagement;
namespace ConsoleApplication5
{
class Lockout : IDisposable
{
DirectoryContext context;
DirectoryEntry root;
public Lockout()
{
string domainName = "domain.com";
this.context = new DirectoryContext(
DirectoryContextType.Domain,
domainName
);
//get our current domain policy
Domain domain = Domain.GetDomain(this.context);
this.root = domain.GetDirectoryEntry();
}
public void FindLockedAccounts()
{
string qry = " (&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295)(!UserAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)))) ";
DirectorySearcher ds = new DirectorySearcher(
this.root,
qry
);
using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
using (var context = new PrincipalContext( ContextType.Domain ))
{
string name = sr.Properties["SamAccountName"][0].ToString();
using (var user = UserPrincipal.FindByIdentity( context,
IdentityType.SamAccountName,
name ))
{
if (user.IsAccountLockedOut())
{
Console.WriteLine("{0} is locked out", sr.Properties["name"][0]);
}
}
}
}
}
}
public void Dispose()
{
if (this.root != null)
{
this.root.Dispose();
}
}
}
}
source to share
Edit: Wrong question. Updated answer
try now
Why not just:
var lockedUsers = new List<UserPrincipal>();
using (var context = new PrincipalContext(ContextType.Domain))
{
GroupPrincipal grp = GroupPrincipal.FindByIdentity(context, IdentityType.SamAccountName, "Domain Users");
foreach (var userPrincipal in grp.GetMembers(false))
{
var user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, userPrincipal.UserPrincipalName);
if (user != null)
{
if (user.IsAccountLockedOut())
{
lockedUsers.Add(user);
}
}
}
}
//Deal with list here
source to share
You can use the attribute lockoutTime
, but this is not necessarily trivial. The attribute has a time at which the user was locked out. So, if your domain has a single blocking policy, you can search for everyone whose value is lockoutTime
greater than or equal to (UTC Now - blocking duration).
If you have multiple blocking policies with limited password size policies, this is not easy because you need to calculate it for each user.
If your domain is permanently blocked (for example, you must request an account unblocked), you can search for more than zero.
source to share