如何通过LDAP请求启用或禁用AD用户帐户? [英] How can I enable or disable an AD user account with an LDAP request?

问题描述

到目前为止，我已经能够在LDAP中找到用户，但是我不知道如何启用或禁用它们.

So far I was able to find users in LDAP but I don't know how can I enable or disable them.

作为第二个问题，如果我的帐户具有域管理员权限，是否可以通过LDAP启用或禁用帐户?

As a second question, if my account has Domain Admin rights, I will be able to enable or disable account from LDAP or not?

注意:这与在Windows 2003上运行的Microsoft Active Directory有关.

Note: This is about a Microsoft Active Directory running on Windows 2003.

我知道我可以通过以下方式查看有效使用:

I know that I can check active uses with:

(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))

禁用的用法:

(useraccountcontrol:1.2.840.113556.1.4.803:=2)

问题是我该如何设置该属性，使其不会丢失内部的其他二进制标志.

The question is how do I set the attribute in such way that it will not loose other binary flags inside.

推荐答案

您需要在此处使用一些逻辑.因此，要禁用用户，请设置禁用位(2).所以:

You need to use a bit of logic here. So to disable a user, you set the disable bit (2). So:

const long ADS_UF_ACCOUNTDISABLE = 0x00000002;
long userAccountControl = //currentUacValue
long newUserAccountControl = (userAccountControl | ADS_UF_ACCOUNTDISABLE);

要启用帐户，我们需要清除禁用位:

To enable an account, we need to clear the disable bit:

long userAccountControl = //currentUacValue
long newUserAccountControl = (userAccountControl & ~ADS_UF_ACCOUNTDISABLE)

这篇关于如何通过LDAP请求启用或禁用AD用户帐户?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！