查看活动目录用户的启用/禁用状态
使用此代码,我可以提取所有 AD 用户的信息:
var ActiveDirectory = require('activedirectory');
var ad = new ActiveDirectory({ url: 'ldap://domain.com',
baseDN: 'dc=domain,dc=com',
username: '[email protected]',
password: 'password',
attributes: {
user: [ 'givenName', 'mail', 'mobile' ],
// group: [ 'anotherCustomAttribute', 'objectCategory' ]
}
});
ad.findUsers(function(err, users) {
if (err) {
console.log('ERROR: ' +JSON.stringify(err));
return;
}
if ((! users) || (users.length == 0)) console.log('No users found.');
else {
console.log('findUsers: '+JSON.stringify(users));
}
});
我想知道是否有办法找出启用或禁用哪个用户。我知道有一个名为 UserAccountControl 的属性,其值表示:
512=Enabled
514= Disabled
66048 = Enabled, password never expires
66050 = Disabled, password never expires
但我发现一些用户的 UserAccountControl 值与这些值不同。
我也听说过ms-DS-User-Account-Disabled,但我在用户的属性列表中找不到它。那么,我如何知道用户是否启用或禁用。
Using this code I'm able to extract all AD users' information:
var ActiveDirectory = require('activedirectory');
var ad = new ActiveDirectory({ url: 'ldap://domain.com',
baseDN: 'dc=domain,dc=com',
username: '[email protected]',
password: 'password',
attributes: {
user: [ 'givenName', 'mail', 'mobile' ],
// group: [ 'anotherCustomAttribute', 'objectCategory' ]
}
});
ad.findUsers(function(err, users) {
if (err) {
console.log('ERROR: ' +JSON.stringify(err));
return;
}
if ((! users) || (users.length == 0)) console.log('No users found.');
else {
console.log('findUsers: '+JSON.stringify(users));
}
});
I wanted to know if there is a way to find out which user is enabled or disabled. I know that there is an attribute called UserAccountControl whose value means:
512=Enabled
514= Disabled
66048 = Enabled, password never expires
66050 = Disabled, password never expires
but I found some users whose UserAccountControl value is different from these values.
I've also heard of ms-DS-User-Account-Disabled, but I can't find it in the attribute list of users. So, how can I know if a user is enabled or disabled.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
ms-DS-User-Account-Disabled 的文档 表示仅在 ADAM(Active Directory 应用程序模式)上支持,但后来的 AD LDS (轻量级目录服务),如图所示此处。
您可能拥有的 Active Directory 域服务 (AD DS) 使用
userAccountControl。userAccountControl属性是一个位标志,这意味着二进制值中的每个位(0或1)都是一个标志,表示某些内容(1已打开并且0已关闭)。您已经发现,所有这些位的十进制表示形式可以是各种值。所以忽略十进制值。第二位是“禁用”标志。如果第二位为
1,则该帐户被禁用。这就是你想要找到的。因此,获取
userAccountControl属性的值,然后使用 按位 AND 运算符 (&) 来确定是否设置了第二位:其中的括号很重要,否则运算顺序不正确你 需要。
The documentation of ms-DS-User-Account-Disabled indicates that it was only supported on ADAM (Active Directory Application Mode), but also the later AD LDS (Lightweight Directory Services), as indicated here.
Active Directory Domain Services (AD DS), which is likely what you have, uses
userAccountControl.The
userAccountControlattribute is a bit flag, meaning that each bit (0or1) in the binary value is a flag that means something (1is on and0is off). The decimal representation of all those bits could be all kinds of values, so you've found. So ignore the decimal value.The second bit is the flag for "disabled". If the second bit is
1, the account is disabled. That's what you want to find.So get the value of the
userAccountControlattribute, then use the bitwise AND operator (&) to determine if the second bit is set:The parentheses in that are important, otherwise the order of operations isn't what you need.