4

So far I was able to find users in LDAP but I don't know how can I enable or disable them.

As a second question, if my account has Domain Admin rights, I will be able to enable or disable account from LDAP or not?

Note: This is about a Microsoft Active Directory running on Windows 2003.

I know that I can check active uses with:

(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))

Disabled useds:

(useraccountcontrol:1.2.840.113556.1.4.803:=2)

The question is how do I set the attribute in such way that it will not loose other binary flags inside.

sorin
  • 161,544
  • 178
  • 535
  • 806

2 Answers2

5

You need to use a bit of logic here. So to disable a user, you set the disable bit (2). So:

const long ADS_UF_ACCOUNTDISABLE = 0x00000002;
long userAccountControl = //currentUacValue
long newUserAccountControl = (userAccountControl | ADS_UF_ACCOUNTDISABLE);

To enable an account, we need to clear the disable bit:

long userAccountControl = //currentUacValue
long newUserAccountControl = (userAccountControl & ~ADS_UF_ACCOUNTDISABLE)
Brian Desmond
  • 4,473
  • 1
  • 13
  • 11
0

If you're on Linux using ldapsearch and ldapmodify, and you don't know C deeply to understand the above answer, you can also just subtract 2 from the current value.

$id="accountname"
USERCN=$(ldapsearch sAMAccountName=$id 2>/dev/null|grep "cn: " | sed 's/cn: //g')
USERDN="CN=${USERCN},CN=Users,DC=example,DC=com"

uac=$(ldapsearch sAMAccountName="$id" -LLL userAccountControl 2>/dev/null |grep userAccountControl: | awk '{print $2}')

uac="$(($uac-2))"
echo "dn: $USERDN
changetype: modify
replace: userAccountControl
userAccountControl: $uac" | ldapmodify -Q

Granted, we're using kerberos here to authenticate to AD.

jmp242
  • 133
  • 3