我们有一个内部Windows控制台应用程序,用于更新我们的Active Directory。这个应用程序已经成功运行了几年。
最近,我的任务是添加代码以禁用未在90天内登录系统的用户。
代码似乎工作正常,但每次应用程序运行时都会显示一些用户。
以下是搜索代码:
public SearchResultCollection SearchAD(string szSearchOU, string szSearchArg, string szObjectClass)
{
if (szSearchOU == "")
{
ds.SearchRoot = c_DirectoryEntry;
}
else
{
if (!szSearchOU.StartsWith("LDAP://"))
{
szSearchOU = "LDAP://" + szSearchOU;
}
ds.SearchRoot = new DirectoryEntry(szSearchOU);
}
string szFilter = "";
if (szObjectClass == "")
szFilter = "(objectClass=user)";
else
szFilter = "(objectClass=" + szObjectClass + ")";
if (szSearchArg != "")
{
if (szSearchArg.Substring(0, 3) != "CN=")
szSearchArg = "CN=" + szSearchArg;
szFilter = "(&" + szFilter + "(" + szSearchArg + "))";
}
else
ds.PageSize = 1001;
ds.Filter = szFilter;
SearchResultCollection results = ds.FindAll();
return results;
}
此方法在整个应用程序中使用,因此我可以肯定地确定它可以正常工作。
这是调用搜索并处理它的存根:
SearchResultCollection src = SearchADUsers(szOU, "");
clsDisableLog.WriteLog("Processing: " + src.Count.ToString());
foreach (SearchResult r in src)
{
DirectoryEntry deUser = r.GetDirectoryEntry();
if (c_Debug)
clsDisableLog.WriteLog("Processing: " + deUser.Name + " Path: " + deUser.Path.ToString());
PropertyCollection userAttribs = deUser.Properties;
int flags = (int)deUser.Properties["userAccountControl"].Value;
if (!Convert.ToBoolean((flags & UF_DISABLED) == UF_DISABLED))
{
bool bDisableAccount = false;
DateTime dLastLogon = GetLastLogon(deUser);
if (dLastLogon != DateTime.MinValue)
{
TimeSpan diff = DateTime.Now - dLastLogon;
int iDaysSince = diff.Days;
if (iDaysSince > iDays)
{
clsDisableLog.WriteLog("\t" + deUser.Name);
clsDisableLog.WriteLog("\t\t" + "Has not logged in for " + iDaysSince.ToString() + " days.");
clsDisableLog.WriteLog("\t\t" + "Last logon date: " + dLastLogon.ToLongDateString() + " " + dLastLogon.ToLongTimeString());
clsDisableLog.WriteLog("\t\t" + deUser.Path.ToString());
bDisableAccount = true;
}
}
else
{
clsDisableLog.WriteLog("\t" + deUser.Name);
clsDisableLog.WriteLog("\t\t" + "Has never logged into domain.");
clsDisableLog.WriteLog("\t\t" + "Created: " + deUser.Properties["whenCreated"].Value.ToString());
clsDisableLog.WriteLog("\t\t" + deUser.Path.ToString());
iAccountsNoLogin++;
}
if (bDisableAccount)
{
if (deUser.Path.Contains("UtilityAccounts"))
{
bDisableAccount = false;
clsDisableLog.WriteLog("\t\t" + "NOT Disabling Utility Account: " + deUser.Name);
}
else
{
if (UpdateUserFlag(deUser, UF_DISABLED, true))
{
clsDisableLog.WriteLog("\t\t" + "Disabled");
iAccountsDisabled++;
}
else
clsDisableLog.WriteLog("Error disabling " + deUser.Name);
if (deUser.Path.ToString().ToLower() != deInactiveOU.Path.ToLower())
{
if (MoveUser(deUser, deInactiveOU))
{
clsDisableLog.WriteLog("\t\t" + "Moved to: " + deInactiveOU.Name);
iAccountsMoved++;
}
else
clsDisableLog.WriteLog("Error moving " + deUser.Name + " to " + deInactiveOU.Name);
}
}
}
}
每次应用运行时都会处理大约14个帐户。
示例:
2/25/2014 12:56:27 PM: CN=XXXXXXXX
2/25/2014 12:56:27 PM: Has not logged in for 252 days.
2/25/2014 12:56:27 PM: Last logon date: Tuesday, June 18, 2013 10:14:45 AM
2/25/2014 12:56:27 PM: LDAP://CN=XXXXXXXX,OU=XXXX User Accounts,DC=XXXXXXXX,DC=LOCAL
2/25/2014 12:56:27 PM: Disabled
2/25/2014 12:56:27 PM: Moved to: OU=Inactive
应用运行后,此帐户IS IN OU =非活动且已禁用IS;但是,如果我重新运行应用程序,用户就会再次显示,就像这里一样!
有什么建议吗?
我已经设置了DS.CacheResults = false但是如果我这样做,那么循环根本就不会执行。
谢谢, 约翰
public bool UpdateUserFlag(DirectoryEntry deUser, int iFlag, Boolean bSet)
{
bool bReturn = false;
int flags = (int)deUser.Properties["userAccountControl"].Value;
try
{
if (bSet)
deUser.Properties["userAccountControl"].Value = flags ^ iFlag;
else
deUser.Properties["userAccountControl"].Value = flags & ~iFlag;
deUser.CommitChanges();
deUser.RefreshCache();
bReturn = true;
}
catch (Exception ex)
{
clsLog.WriteLog("Error updating user flag: " + deUser.Name);
clsLog.Write(ex.Message);
clsLog.WriteLog("");
}
return bReturn;
}
public bool MoveUser(DirectoryEntry deUser, DirectoryEntry deOU)
{
bool bReturn = false;
try
{
deUser.MoveTo(deOU);
deUser.CommitChanges();
deUser.RefreshCache();
bReturn = true;
}
catch (Exception ex)
{
clsLog.WriteLog("Error moving: " + deUser.Name.ToString() + " to: " + deOU.Path);
clsLog.WriteLog(ex.Message);
}
return bReturn;
}
public bool MoveUser(DirectoryEntry deUser, string szOU)
{
bool bReturn = false;
try
{
deUser.MoveTo(new DirectoryEntry(szOU));
deUser.CommitChanges();
deUser.RefreshCache();
bReturn = true;
}
catch (Exception ex)
{
clsLog.WriteLog("Error moving: " + deUser.Name.ToString() + " to: " + szOU);
clsLog.WriteLog(ex.Message);
}
return bReturn;
}
public DateTime GetLastLogon(DirectoryEntry deUser)
{
DateTime dtLL = DateTime.MinValue;
try
{
if (deUser.Properties["lastLogonTimeStamp"].Count != 0)
dtLL = GetDateTimeFromLargeInteger((IADsLargeInteger)deUser.Properties["lastLogonTimeStamp"][0]);
}
catch (Exception ex)
{
clsLog.WriteLog("Error Retrieving Last Logon Time Stamp for: " + deUser.Name.ToString());
clsLog.Write(ex.Message);
clsLog.WriteLog("");
}
return dtLL;
}
根据一个答案,我已经发布了存根中调用的方法的代码 - 尽管它们与问题无关,因为我已经确认它们在必要时起作用。帐户已禁用,并且它们将移至相关的OU。
问题不在于代码没有按预期执行 - 而是AD发现用户帐户未被禁用而不在OU中,即使我可以使用Active Directory用户和计算机进行确认。
约翰
答案 0 :(得分:0)
为什么这样?
if (!Convert.ToBoolean((flags & UF_DISABLED) == UF_DISABLED))
这已经是一个布尔值:
(flags & UF_DISABLED) == UF_DISABLED
除此之外,很难分辨,因为你所有的存根都是你没有发布代码的调用方法。
您可能遇到的另一个问题是lastlogin活动目录属性是特定于域控制器的事实,它不会被复制,因此您必须检查域中的每个域控制器以查看上次登录的内容日期是。