如何通过LDAP请求启用或禁用AD用户帐户? [英] How can I enable or disable an AD user account with an LDAP request?
问题描述
到目前为止,我已经能够在LDAP中找到用户,但是我不知道如何启用或禁用它们.
So far I was able to find users in LDAP but I don't know how can I enable or disable them.
作为第二个问题,如果我的帐户具有域管理员权限,是否可以通过LDAP启用或禁用帐户?
As a second question, if my account has Domain Admin rights, I will be able to enable or disable account from LDAP or not?
注意:这与在Windows 2003上运行的Microsoft Active Directory有关.
Note: This is about a Microsoft Active Directory running on Windows 2003.
我知道我可以通过以下方式查看有效使用:
I know that I can check active uses with:
(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))
禁用的用法:
(useraccountcontrol:1.2.840.113556.1.4.803:=2)
问题是我该如何设置该属性,使其不会丢失内部的其他二进制标志.
The question is how do I set the attribute in such way that it will not loose other binary flags inside.
推荐答案
您需要在此处使用一些逻辑.因此,要禁用用户,请设置禁用位(2).所以:
You need to use a bit of logic here. So to disable a user, you set the disable bit (2). So:
const long ADS_UF_ACCOUNTDISABLE = 0x00000002;
long userAccountControl = //currentUacValue
long newUserAccountControl = (userAccountControl | ADS_UF_ACCOUNTDISABLE);
要启用帐户,我们需要清除禁用位:
To enable an account, we need to clear the disable bit:
long userAccountControl = //currentUacValue
long newUserAccountControl = (userAccountControl & ~ADS_UF_ACCOUNTDISABLE)
这篇关于如何通过LDAP请求启用或禁用AD用户帐户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!