Directory Programming .NET

Hi, earlier a user account for example "userA" is lock-out and our admin unlock it. After unlocking it, my program to get values userAccountControl, for example user.Properties["userAccountControl"].Value is now null, earlier it is not before the account is unlocked.

Please note that when I search this userA, I used sAMAccountName but using another user, for example, "userB" to search for information/attributes of userA. As I mentioned above, it works before for many months until the unlock. Just to give you additional info, not sure if this will help, both userA and userB passwords do not expire.

I am looking for the value of userAccountControl to see if userA's password is expiring so that I can inform him/her that his/her password is expiring in a certain day(s).

Is there anything I should look to fix this problem?

Thanks.

 

 

 

userAccountControl cannot be null on a valid user object.  Can you check the objectClass of the object you accessed and verify that it is a user?  It could potentially be a permissions problem, but that is less likely.

Also, userAccountControl won't tell you if a user's password is expiring.  You need to look at pwdLastSet and the password policy that is in effect for the user (probably the domain policy unless you are using Windows Server 2008 AD already).

Check ch 10 of the book for a good treatment on pwd expiration.

Thanks Joe for the reply, to answer your question, Yes, UserA is a valid user, as I mentioned earlier, it is working many months until the admin unlock the id.

I am using user.Properties["userAccountControl"][0] to get the expiration based on below logic (I got it from Chapter 10 of the book)

        public DateTime GetExpiration(DirectoryEntry user)
        {
            int flags =
                (int)user.Properties["userAccountControl"][0];

            //check to see if passwords expire
            if (Convert.ToBoolean(flags & UF_DONT_EXPIRE_PASSWD))
            {
                //the user's password will never expire
                return DateTime.MaxValue;

As I mentioned earlier, I am using UserB to get information of UserA. The strange thing is, if I use UserA account to get UserA info, I have no problem.

Here is how I use it:
            DirectoryEntry root = new DirectoryEntry("LDAP://dc=ourdomain,dc=com", "UserB", "myPassword", AuthenticationTypes.Secure);
            //point this to a user in the directory
            DirectoryEntry user = null;
            DirectorySearcher search = new DirectorySearcher(root);
            search.Filter = "(sAMAccountName=" + "UserA" + ")";

Thanks Again.

I see what you are syaing.  I thought you were trying to find out the password expiration date when in fact you are just trying to find out if the password expires or not.  If I had it to write that function again, I'd probably return a nullable date time and return a null value instead of DateTime.MaxValue.  We wrote that code before .NET 2.0 came out and didn't get a chance to revise it (.NET 2.0 was coming out at the same time we wrote the book), so nullable value types appeared while we were in process.  :)

In your case here, it may be that userB doesn't have permissions to read userAccountControl on userA, but userA can read their own.  I'd verify that you see the same behavior using ldp.exe to make sure that there is nothing else weird going on.  Normally, all users can read attributes like userAccountControl on other user objects, but this could have been taken away.

If this is true, you may need to make sure you get a service account that has the read privileges you need for your app.

Chiming in late here... but I am confused as to what the issue was.  Where did null come into it?  The output of the sample code in Chapter 10 was DateTime.MinValue, MaxValue, or the actual value.  Where does null get into this?

---

Ryan Dunn
Extemporaneous Mumblings
The .NET Developer's Guide to Directory Services Programming