How to: Enable or Disable User Accounts in Active Directory Domain Services

Visual Studio 2010

Updated: February 16, 2009

You can enable or disable a user account in Active Directory Domain Services (AD DS) by setting the appropriate constants in the userAccountControlattribute of the user account.

You can set these constants in the MapAttributesForExport method of the management agent rules extension. When the management agent is executed, the server calls the MapAttributesForExport method as part of the synchronization process.

UserAccountControl Constants

You can use the following constants with the userAccountControl attribute.

const long ADS_UF_SCRIPT = 0x0001;                          // The logon script will be executed.
const long ADS_UF_ACCOUNTDISABLE = 0x0002;                  // Disable user account.
const long ADS_UF_HOMEDIR_REQUIRED = 0x0008;                // Requires a root directory.
const long ADS_UF_LOCKOUT = 0x0010;                         // Account is locked out.
const long ADS_UF_PASSWD_NOTREQD = 0x0020;                  // No password is required.
const long ADS_UF_PASSWD_CANT_CHANGE = 0x0040;              // The user cannot change the password.
const long ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x0080; // Encrypted password allowed.
const long ADS_UF_TEMP_DUPLICATE_ACCOUNT = 0x0100;          // Local user account.
const long ADS_UF_NORMAL_ACCOUNT = 0x0200;                  // Typical user account.

For more information about these user account control constants, ADS_USER_FLAG_ENUM.

noteNote:
You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. For more information, and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.

The following examples show how to enable or disable a user account based on a metaverse entry.

void IMASynchronization.MapAttributesForExport(
    string FlowRuleName, 
    MVEntry mventry, 
    CSEntry csentry)
{
    const long ADS_UF_NORMAL_ACCOUNT = 0x200;
    const long ADS_UF_ACCOUNTDISABLE = 0x2;
    const string USER_ACCOUNT_CONTROL_PROP = "userAccountControl";

    switch(FlowRuleName)
    {
        case "userAccountControl":
            long currentValue = ADS_UF_NORMAL_ACCOUNT;
            if(csentry[USER_ACCOUNT_CONTROL_PROP].IsPresent)
            {
                currentValue = csentry[USER_ACCOUNT_CONTROL_PROP].IntegerValue;
            }

            switch(mventry["employeeStatus"].Value.ToLower())
            {
                case "active":
                    csentry[USER_ACCOUNT_CONTROL_PROP].IntegerValue = (currentValue | ADS_UF_NORMAL_ACCOUNT) 
                                                                      & ~ADS_UF_ACCOUNTDISABLE;
                    break;
                
                case "inactive":
                    csentry[USER_ACCOUNT_CONTROL_PROP].IntegerValue = currentValue 
                                                                      | ADS_UF_ACCOUNTDISABLE 
                                                                      | ADS_UF_PASSWD_NOTREQD;
                    break;
            }
            break;
    }
}

See Also

Community Additions

ADD
Show:
© 2014 Microsoft