-1

How can we programmatically access the user state in active directory? Especially state such as active/away/lockedout etc. This is to build a web snapshot to view all logged in users and their individual state.

So far, I could search all users under a specific domain but no luck in finding their current state.

using (var context = new PrincipalContext(ContextType.Domain, "domain"))
{
    using (var searcher = new PrincipalSearcher(new UserPrincipal(context)))
    {
        foreach (var result in searcher.FindAll())
        {
            DirectoryEntry de = result.GetUnderlyingObject() as DirectoryEntry;
            Console.WriteLine("First Name: " + de.Properties["givenName"].Value);
            Console.WriteLine("Last Name : " + de.Properties["sn"].Value);
            Console.WriteLine("User principal name: " + de.Properties["userPrincipalName"].Value);

        }
    }
}
S.N
  • 4,910
  • 5
  • 31
  • 51
  • I have googled and found a decent link on AD at http://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C. However, this doesn't talks about user state. – S.N Sep 16 '16 at 11:57
  • @rory.ap, I have included what I have done so far on it. Would you prefer to share any of your thoughts on it – S.N Sep 16 '16 at 12:03

2 Answers2

1

"Away" isn't something you're going to get out of Active Directory.

You can look at the following properties to get some of the info you want: userAccountControl is the main property you want to look at.

using (userAccountControl:AND:=2) in your LDAP query will find disabled users.

Some other useful properties are:

  • lastLogon (for "active", you will have to determine what active means to you)
  • lockoutTime (lockoutTime > 0) means they're locked out.
  • accountExpires for expired users
hometoast
  • 11,522
  • 5
  • 41
  • 58
  • Thank you for the support. If 'Away' is not available then I am happy to satisfy with Active. Active means, whether or not user logged into any node in the current domain/network. – S.N Sep 16 '16 at 13:35
  • Oh, in that case, you're not getting "logged in state" from AD. Not easily. I meant "Active" as in, the user isn't disabled, or locked in AD. – hometoast Sep 16 '16 at 16:14
1

You can collect logon\logoff user events from Security log on each workstation and on domain controllers. By analyzing this information you can determine currently active users. Unfortunately, the solution will not work on enterprise environment with thousands of workstations and hundreds of DC's. Also sometimes logon\logoff events are missing in security log for some reason.

In case of using lastLogon\lastLogonTimestamp attributes be aware that:

  • lastLogon attribute does not replicate between domain controllers. It's the last logon user time on the domain controller you are gathering information from. To determine last user logon, you have to collect the attribute from all DC's and select max value.
  • lastLogonTimestamp replicates once in 9-14 days. lastLogontimeStamp will be 9-14 days behind the current date.
oldovets
  • 695
  • 4
  • 9
  • Thank you for sharing. We are only looking at on 200 VM in one DC. I am not into operation and hence can't comment further.However, we are looking at a small scale. – S.N Sep 19 '16 at 09:20