我要锁定在Active Directory用户帐户以编程方式在C＃。

I have to lock user accounts in Active Directory programmatically in C#.

不幸的是，通过userAccountControl属性不起作用。每次我设置userAccountControl的528（=普通帐户瓦特/锁定标志），活动目录将不接受该值，并重置它恕不另行通知512（=正常帐户）。

Unfortunately it doesn't work via the userAccountControl attribute. Every time I set userAccountControl to 528 (=normal account w/ lockout flag), Active Directory won't accept the value and resets it without further notice to 512 (=normal account).

现在我试图通过提供不正确的凭据（见下文），以锁定帐户，但是这也不行。

Now I tried to lock the account by providing incorrect credentials (see below), but this doesn't work either.

int retries = 0;
while (!adsUser.IsAccountLocked && retries < MAX_LOCK_RETRIES)
{
     retries++;

    try
    {  
        new DirectoryEntry(userPath, logonName, incorrectPassword).RefreshCache();
    }
    catch (Exception)
    { 
        /* ... */ 
    }
    adsUser.GetInfo();
}

任何想法？

推荐答案

请确保您使用禁用帐户的帐户有足够的权限来禁用帐户。请参见这个例子的微软。

Make sure the account you're using to disable the account has sufficient privileges to disable accounts. See this example from Microsoft.