Check if a UserPrincipal is enabled

Question

I'm using C# code to query an Active Directory. The main issue I'm having is determining whether an account has been disabled or not. Looking through many online articles, it would appear that one cannot solely rely on the property UserPrincipal.Enabled to determine if a user account is enabled or not. Fair enough, as its a nullable Boolean but when an AD administrator disables an account, this does appear to get set to false. The problem I have is when I query a client's AD, I find that most user accounts UserPrincipal objects return false for this property. So when I use this code to check if an account is disabled:

private bool IsUserEnabled(UserPrincipal userPrincipal)
{
        bool isEnabled = true;

        if (userPrincipal.AccountExpirationDate != null)
        {
            // Check the expiration date is not passed.
            if (userPrincipal.AccountExpirationDate <= DateTime.Now)
            {
                Log.DebugFormat("User {0} account has expired on {1}", userPrincipal.DisplayName, userPrincipal.AccountExpirationDate.Value);
                isEnabled = false;
            }
        }

        if (userPrincipal.IsAccountLockedOut())
        {
            isEnabled = false;
            Log.DebugFormat("User {0} account is locked out", userPrincipal.DisplayName);
        }

        if (userPrincipal.Enabled != null)
        {
            isEnabled = userPrincipal.Enabled.Value;
            Log.DebugFormat("User {0} account is Enabled is set to {1}", userPrincipal.DisplayName, userPrincipal.Enabled.Value);
        }

        return isEnabled;
}

Most accounts appear disabled because of the userPrincipal.Enabled check.

However, if I leave this out and just rely on the account expiration date and the account lockout properties, then I may miss someone who is disabled using the checkbox in Active Directory which simply disables the account - without setting the account expiration date.

All the accounts where enabled returns false are actually active accounts who can log in to the domain.

How do you check if an account is actually enabled or not?

Answer 1

I ran into a similar issue, and was equally perplexed!

I initially was using a System.DirectoryServices.DirectorySearcher to search for disabled users. The status of an AD user record (re: disabled, locked out, password expiry, etc) is stored within the UserAccountControl property. You could pass in a filter to the DirectorySearcher to locate, lets says, disabled accounts by specifying the UserAccountControl property as part of the filter.

I was never fond of this approach as it amounted to using a magic string and some magic numbers in order to build the query; for example, this is the filter used to locate disabled accounts:

 var searcher = new DirectorySearcher(dirEntry)
            {
                Filter = "(UserAccountControl:1.2.840.113556.1.4.803:=2)",
                PageSize = 50
            };

When I switched over to using the UserPrincipal, I was thrilled to see this nice handy "Enabled" property right on the class.. At least until I realized it didn't return the same value that the DirectorySearcher filter would return.

Unfortunately, the only reliable way that I could find to determine if the account was actually enabled was to dig into the underlying DirectoryEntry object, and go inspect the UserAccountControl property directly, ie:

var result = (DirectoryEntry)userPrincipal.GetUnderlyingObject();
var uac = (int)result.Properties["useraccountcontrol"].Value;
var isEnabled = !Convert.ToBoolean(uac & 2);

Note - the UserAccountControl property is a "flags" enum; all possible values for the UserAccountControl property can be found here: https://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx

I ended up building the above snippet into a little extension method; fortunately doing this extra work to retrieve the UserAccountControl property didn't noticeable slow down my AD queries.