public void FindLockedAccounts() { System.DirectoryServices.ActiveDirectory.Forest forest = System.DirectoryServices.ActiveDirectory.Forest.GetCurrentForest(); System.DirectoryServices.ActiveDirectory.DirectoryContext context = null; foreach (System.DirectoryServices.ActiveDirectory.Domain thisDomain in forest.Domains) { string domainName = thisDomain.Name; System.Console.WriteLine(domainName); context = new System.DirectoryServices.ActiveDirectory.DirectoryContext(System.DirectoryServices.ActiveDirectory.DirectoryContextType.Domain, domainName); } // Next thisDomain //get our current domain policy System.DirectoryServices.ActiveDirectory.Domain domain = System.DirectoryServices.ActiveDirectory.Domain.GetDomain(context); System.DirectoryServices.DirectoryEntry root = domain.GetDirectoryEntry(); // System.DirectoryServices.DirectoryEntry AdRootDSE = new System.DirectoryServices.DirectoryEntry("LDAP://rootDSE"); // string rootdse = System.Convert.ToString(AdRootDSE.Properties["defaultNamingContext"].Value); // System.DirectoryServices.DirectoryEntry root = new System.DirectoryServices.DirectoryEntry(rootdse); DomainPolicy policy = new DomainPolicy(root); //default for when accounts stay locked indefinitely string qry = "(lockoutTime>=1)"; // System.TimeSpan duration = new TimeSpan(0, 30, 0); System.TimeSpan duration = policy.LockoutDuration; if (duration != System.TimeSpan.MaxValue) { System.DateTime lockoutThreshold = System.DateTime.Now.Subtract(duration); qry = string.Format("(lockoutTime>={0})", lockoutThreshold.ToFileTime()); } // End if (duration != System.TimeSpan.MaxValue) System.DirectoryServices.DirectorySearcher ds = new System.DirectoryServices.DirectorySearcher(root, qry); using (System.DirectoryServices.SearchResultCollection src = ds.FindAll()) { foreach (System.DirectoryServices.SearchResult sr in src) { long ticks = (long)sr.Properties["lockoutTime"][0]; System.Console.WriteLine("{0} locked out at {1}", sr.Properties["name"][0], System.DateTime.FromFileTime(ticks)); } // Next sr } // End Using src } // End Sub FindLockedAccounts
private static TimeSpan GetMaxPasswordAge() { using (System.DirectoryServices.ActiveDirectory.Domain d = System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain()) using (DirectoryEntry domain = d.GetDirectoryEntry()) { DirectorySearcher ds = new DirectorySearcher( domain, "(objectClass=*)", null, SearchScope.Base ); SearchResult sr = ds.FindOne(); TimeSpan maxPwdAge = TimeSpan.MinValue; if (sr.Properties.Contains("maxPwdAge")) { maxPwdAge = TimeSpan.FromTicks((long)sr.Properties["maxPwdAge"][0]); } return(maxPwdAge.Duration()); } }