UserPrincipal AccountLockoutTime始终为空

Question

我正在访问Active Directory中用户对象的各种属性。我有我写的下面的方法。

它适用于除AccountLockoutTime之外的所有属性，它总是返回空值。

public IEnumerable<ActiveDirectoryAccount> GetUserAccounts(string samAccountName)
{
    PrincipalContext pricipalContext = new PrincipalContext(ContextType.Domain, "domainname.co.za:3268");
    UserPrincipal userPrincipal = new UserPrincipal(pricipalContext);

    userPrincipal.SamAccountName = "*" + samAccountName + "*";

    PrincipalSearcher principalSearcher = new PrincipalSearcher(userPrincipal);

    ICollection<ActiveDirectoryAccount> result = new List<ActiveDirectoryAccount>();

    foreach (UserPrincipal userSearchResult in principalSearcher.FindAll())
    {
        ActiveDirectoryAccount account = new ActiveDirectoryAccount()
        {
            AccountLockedOut = userSearchResult.IsAccountLockedOut(),
            DistinguishedName = userSearchResult.DistinguishedName,
            Description = userSearchResult.Description,
            Enabled = userSearchResult.Enabled,
            GUID = userSearchResult.Guid,
            LastLogon = userSearchResult.LastLogon,
            LastPasswordSet = userSearchResult.LastPasswordSet,
            // The below line always comes back as null
            LockoutTime = userSearchResult.AccountLockoutTime,
            PasswordNeverExpires = userSearchResult.PasswordNeverExpires,
            SAMAccountName = userSearchResult.SamAccountName,
            SmartcardLogonRequired = userSearchResult.SmartcardLogonRequired,
            UserCannotChangePassword = userSearchResult.UserCannotChangePassword,
            UserPrincipalName = userSearchResult.UserPrincipalName
        };

        if (userSearchResult.GetUnderlyingObjectType() == typeof(DirectoryEntry))
        {
            using (DirectoryEntry entry = (DirectoryEntry)userSearchResult.GetUnderlyingObject())
            {
                account.WhenChanged = (DateTime)entry.Properties["whenChanged"].Value;
                account.WhenCreated = (DateTime)entry.Properties["whenCreated"].Value;

                // Tried the below to get the data as well but no luck. 
                if (userSearchResult.IsAccountLockedOut())
                {
                    if (entry.Properties["lockoutTime"].Value != null)
                    {
                        account.Test = (string)entry.Properties["lockoutTime"].Value;
                    }
                }
            }
        }

        result.Add(account);
    }

    principalSearcher.Dispose();
    return result.ToList();
}

我已经锁定了一个帐户，以检查上面的代码是否可以读取IsAccountLockedOut。它可以并且返回true。对于userSearchResult.AccountLockoutTime或(string)entry.Properties["lockoutTime"].Value;，它始终返回null

我已经检查了Active Directory中的lockoutTime属性，当我锁定该帐户时，该属性将为该用户帐户填充。

你知道哪里出了问题吗？

提前谢谢。:)

克里斯

Answer 1

通过entry.Properties["lockoutTime"].Value获取时，lockoutTime属性是支持IADsLargeInteger接口的COM对象。

你可以使用下面的代码来获取它的值：

[ComImport,
InterfaceType(ComInterfaceType.InterfaceIsIDispatch),
Guid("9068270B-0939-11D1-8BE1-00C04FD8D503")]
public interface IADsLargeInteger
{
    int HighPart{get;set;}
    int LowPart{get;set;}
}

private DateTime? GetLockoutTime(DirectoryEntry de)
{
    DateTime? ret = null;

    IADsLargeInteger largeInt = de.Properties["lockoutTime"].Value as IADsLargeInteger;

    if (largeInt != null)
    {
        long ticks = (long)largeInt.HighPart << 32 | largeInt.LowPart;

        // 0 means not lockout
        if (ticks != 0)
        {
            ret = DateTime.FromFileTimeUtc(ticks.Value);
        }
    }

    return ret;
}

请注意，lockoutTime的值是帐户被锁定的时间，而不是“锁定到”时间。