如何在C ++中的活动目录中查找Windows禁用和锁定帐户 [英] How to find windows disabled and locked accounts in active directory in C++
问题描述
我正在研究一个C ++项目,想找到一种在Active Directory中查找禁用/锁定帐户的方法.我发现下面的C ++API,但不确定它们是否可以解决我的目的还是其他一些API-
I am working on a C++ project and wanted to find a way to find disabled/locked accounts in the Active Directory. I have found below C++ APIs but not sure whether they would solve my purpose or is their some other APIs--
https://docs.microsoft.com/en-us/windows/win32/api/lmaccess/nf-lmaccess-netuserenum
https://docs.microsoft.com/en-us/windows/win32/api/lmaccess/nf-lmaccess-netusergetinfo
此外,由于我无法控制的原因,我只能使用C ++,而不能使用其他诸如Powershell脚本之类的东西
Also, for reasons outside my control, I have to use C++ only and not other things like powershell script etc
推荐答案
There are C++ examples of how to do this here: Searching with the IDirectorySearch Interface
当您转到调用 ExecuteSearch
的步骤时,要使用的LDAP查询将是:
When you get to the step where you call ExecuteSearch
, the LDAP query you want to use would be:
(&(objectCategory=person)(objectClass=user)(|(userAccountControl:1.2.840.113556.1.4.803:=2)(lockoutTime>=1)))
该查询仅查找具有以下任一条件的用户帐户:
That query looks for only user accounts where either:
-
userAccountControl
属性已设置,表示已禁用(该奇怪的数字是LDAP_MATCHING_RULE_BIT_AND
运算符,如lockoutTime
属性为1或更多,表示它已被锁定.
- The second bit of the
userAccountControl
attribute is set, meaning it's disabled, (that weird number is theLDAP_MATCHING_RULE_BIT_AND
operator as described here, which is just a bitwise AND), or - The
lockoutTime
attribute is 1 or more, meaning it's locked.
这篇关于如何在C ++中的活动目录中查找Windows禁用和锁定帐户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!