Example: Enabling or Disabling a User Account in Active Directory
You can enable or disable a user account in Active Directory by setting the appropriate constants in the userAccountControlattribute of the user account.
You can set these constants in the IMASynchronization.MapAttributesForExport method of the management agent rules extension. When the management agent is executed, the server calls the MapAttributesForExport method as part of the synchronization process.
UserAccountControl Constants
You can use the following constants with the userAccountControl attribute.
Const ADS_UF_SCRIPT = &H1 ' The logon script will be executed
Const ADS_UF_ACCOUNTDISABLE = &H2 ' Disable user account
Const ADS_UF_HOMEDIR_REQUIRED = &H8 ' Requires a root directory
Const ADS_UF_LOCKOUT = &H10 ' Account is locked out
Const ADS_UF_PASSWD_NOTREQD = &H20 ' No password is required
Const ADS_UF_PASSWD_CANT_CHANGE = &H40 ' The user cannot change the password
Const ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = &H80 ' Encrypted password allowed
Const ADS_UF_TEMP_DUPLICATE_ACCOUNT = &H100 ' Local user account
Const ADS_UF_NORMAL_ACCOUNT = &H200 ' Typical user account
const long ADS_UF_SCRIPT = 0x0001; // The logon script will be executed
const long ADS_UF_ACCOUNTDISABLE = 0x0002; // Disable user account
const long ADS_UF_HOMEDIR_REQUIRED = 0x0008; // Requires a root directory
const long ADS_UF_LOCKOUT = 0x0010; // Account is locked out
const long ADS_UF_PASSWD_NOTREQD = 0x0020; // No password is required
const long ADS_UF_PASSWD_CANT_CHANGE = 0x0040; // The user cannot change the password
const long ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x0080; // Encrypted password allowed
const long ADS_UF_TEMP_DUPLICATE_ACCOUNT = 0x0100; // Local user account
const long ADS_UF_NORMAL_ACCOUNT = 0x0200; // Typical user account
For more information about these user account control constants, go to https://msdn.microsoft.com/library and, in the left pane, search for the topic ADS_USER_FLAG_ENUM.
Note You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
The following example shows how to enable or disable a user account based on a metaverse entry:
Public Sub MapAttributesForExport( _
ByVal FlowRuleName As String, _
ByVal mventry As MVEntry, _
ByVal csentry As CSEntry) _
Implements IMASynchronization.MapAttributesForExport
Const ADS_UF_NORMAL_ACCOUNT = &H200
Const ADS_UF_ACCOUNTDISABLE = &H2
Select Case FlowRuleName.ToString()
Case "userAccountControl"
Dim currentValue As Long
If csentry("useraccountcontrol").IsPresent Then
currentValue = csentry("useraccountcontrol").IntegerValue
Else
currentValue = ADS_UF_NORMAL_ACCOUNT
End If
Select Case mventry("employeeStatus").Value
Case "active"
csentry("useraccountcontrol").IntegerValue = (currentValue Or ADS_UF_NORMAL_ACCOUNT) _
And (Not ADS_UF_ACCOUNTDISABLE)
Case "inactive"
csentry("useraccountcontrol").IntegerValue = currentValue _
Or ADS_UF_ACCOUNTDISABLE _
Or ADS_UF_PASSWD_NOTREQD
End Select
End Select
End Sub
void IMASynchronization.MapAttributesForExport(
string FlowRuleName,
MVEntry mventry,
CSEntry csentry)
{
const long ADS_UF_NORMAL_ACCOUNT = 0x200;
const long ADS_UF_ACCOUNTDISABLE = 0x2;
const string USER_ACCOUNT_CONTROL_PROP = "userAccountControl";
switch(FlowRuleName)
{
case "userAccountControl":
long currentValue = ADS_UF_NORMAL_ACCOUNT;
if(csentry[USER_ACCOUNT_CONTROL_PROP].IsPresent)
{
currentValue = csentry[USER_ACCOUNT_CONTROL_PROP].IntegerValue;
}
switch(mventry["employeeStatus"].Value.ToLower())
{
case "active":
csentry[USER_ACCOUNT_CONTROL_PROP].IntegerValue = (currentValue | ADS_UF_NORMAL_ACCOUNT)
& ~ADS_UF_ACCOUNTDISABLE;
break;
case "inactive":
csentry[USER_ACCOUNT_CONTROL_PROP].IntegerValue = currentValue
| ADS_UF_ACCOUNTDISABLE
| ADS_UF_PASSWD_NOTREQD;
break;
}
break;
}
}
Send comments about this topic to Microsoft
Build date: 2/16/2009