c# - 为什么 UserPrincipal.Enabled 返回不同的值？

Question

我正在尝试确定是否启用了 AD 中的用户帐户。为此，我使用以下代码:

string domain = "my domain";
string group = "my security group";
string ou = "my OU";

//init context
using (var cnt= new PrincipalContext(ContextType.Domain, domain))
{
    //find the necessary security group
    using (GroupPrincipal mainGroup 
              = GroupPrincipal.FindByIdentity(cnt, IdentityType.Guid, group))
    {
        if (mainGroup != null)
        {
            //get the group's members
            foreach (var user in mainGroup.GetMembers()
                                   .OfType<UserPrincipal>()
                                   .Where(u => u.DistinguishedName.Contains(ou)))
            {
                //ensure that all the info about the account is loaded
                //by using FindByIdentity as opposed to GetMembers
                var tmpUser= UserPrincipal.FindByIdentity(cnt, 
                                                          user.SamAccountName);
                //actually I could use `user` variable, 
                //as it gave the same result as `tmpUser`.

                //print the account info
                Console.WriteLine(tmpUser.Name + "\t" + 
                                  tmpUser.Enabled.HasValue + "\t" + 
                                  tmpUser.Enabled.Value);                    
            }
        }
    }
}

问题是，当我在管理帐户下运行这段代码时，我得到了真实的结果，而当我在非特权帐户下运行它时，user.Enabled 返回 false 对于某些帐户，它应该是 true。

我设法找到的唯一类似的问答是

1. UserPrincipal.Enabled returns False for accounts that are in fact enabled?
2. Everything in Active Directory via C#.NET 3.5 (Using System.DirectoryServices.AccountManagement)

这在这里没有帮助。

为什么会这样？我有哪些选择可以在非特权帐户下获取此信息？

---

这是另一种方法:How to determine if user account is enabled or disabled :

private bool IsActive(DirectoryEntry de)
{
    if (de.NativeGuid == null) 
        return false;

    int flags = (int)de.Properties["userAccountControl"].Value;

    if (!Convert.ToBoolean(flags & 0x0002)) 
        return true; 
    else 
        return false;
}

Active Directory Objects and C# 中描述了相同的方法.

但是，当在非特权用户帐户下运行时，userAccountControl 属性为 null，并且无法确定帐户的状态。

---

这里的解决方法是使用 PrincipalContext Constructor ，指定具有足够权限访问 AD 的用户的凭据。

我仍然不清楚，为什么非特权用户可以访问 AD，并且无法获取某些特定帐户属性的值。大概这个跟C#没关系，应该在AD里面配置...

Answer 1

您需要在 Active Directory 中为将执行 AD 查询的帐户委派权限。这是我必须为我的应用程序工作做的事情(尽管我们正在对用户帐户执行其他管理任务)。

检查 Here有关如何委派权限的说明(或参见下面的 blockquote)。

You may referred the following procedure to run the delegation:

• Start the delegation of control wizard by performing the following steps:
  • Open Active Directory Users and Computers.
  • In the console tree, double click the domain node.
  • In the details menu, right click the organizational unit, click delegate control, and click next.
  • Select the users or group to which you want to delegate common administrative tasks. To do so, perform the following steps:
  • On the Users or Groups page, click Add.
  • In the select Users, computers or Groups, write the names of the users and groups to which you have to delegate control of the organizational unit, click OK. And click next.
  • Assign common tasks to delegate. To do so perform the following common tasks.
  • On the tasks to delgate page, click delegate the following common tasks.
  • On the tasks to delegate page, select the tasks you want to delegate, and click OK. Click Finish

For Example: To delegate administrator to move user/computer objects, you can use advance mode in AD User and Computer and run delegation. It should have write privilege in both OU for the object moving. For writing new values, the administrators account should have delegated values on the user account (Full privilege in specific OU as well.

其他值得研究的是帐户是否具有 userAccountControl 属性。我听说缺少此属性的帐户可能无法正确报告。在大多数情况下，此属性应设置为 NormalAccount。