使用C#中的密码创建Active Directory用户

时间:2021-05-26 02:54:59

I'm looking for a way to create Active Directory users and set their password, preferably without giving my application/service Domain Admin privileges.

我正在寻找一种方法来创建Active Directory用户并设置他们的密码,最好不要给我的应用程序/服务域管理员权限。

I've tried the following:

我尝试过以下方法:

DirectoryEntry newUser = _directoryEntry.Children.Add("CN=" + fullname, USER);
newUser.Properties["samAccountName"].Value = username;
newUser.Properties["userPassword"].Value = password;
newUser.Properties["mail"].Value = email;
newUser.CommitChanges();

The user is created, but it seems the password is never set on the user.

用户已创建,但似乎从未在用户上设置密码。

Does anyone have an idea on how to set the user's password initially when creating the user? I know about

有没有人知道如何在创建用户时最初设置用户密码?我知道

.Invoke("SetPassword", new object[] { password })

But that requires my code to be run with Domain Admin privileges. As I don't really see the point to grant my code Domain Admin privileges, just to set the initial password (I also allow user password resets, but those run in the context of that particular user), I am hoping someone has a clever solution that doesn't require me to do so.

但这需要我的代码以域管理员权限运行。因为我没有真正看到授予我的代码域管理员权限的重点,只是设置初始密码(我也允许用户密码重置,但那些在特定用户的上下文中运行),我希望有人聪明解决方案,不要求我这样做。

Thanks in advance!

提前致谢!

4 个解决方案

#1

29  

You can do this whole process much easier now with System.DirectoryServices.AccountManagement (long as you're on .Net 3.5):

使用System.DirectoryServices.AccountManagement,您可以更轻松地完成整个过程(只要您使用.Net 3.5):

See here for a full rundown

请参阅此处了解完整的纲要

Here's a quick example of your specific case:

以下是您具体案例的快速示例:

using(var pc = new PrincipalContext(ContextType.Domain))
{
  using(var up = new UserPrincipal(pc))
  {
    up.SamAccountName = username;
    up.EmailAddress = email;
    up.SetPassword(password);
    up.Enabled = true;
    up.ExpirePasswordNow();
    up.Save();
  }
}

#2

4  

I'd use @Nick's code (wrapped in using statements so the context and principal are disposed properly). As for privileges, you'll need to at least have enough privileges on the OU where you are creating the user to create and manage objects. I'd create a specific user under which your program will run and give it just enough privileges to do the tasks that it needs in that specific OU and no more.

我使用@ Nick的代码(包含在using语句中,以便正确处理上下文和主体)。至于权限,您至少需要在创建用户的OU上拥有足够的权限来创建和管理对象。我将创建一个特定的用户,您的程序将在该用户下运行,并为其提供足够的权限,以便在该特定OU中执行所需的任务,而不再需要。

#3

3  

Yes can also use below code to create bulk of users

是也可以使用下面的代码来创建大量用户

DirectoryEntry ouEntry = new DirectoryEntry("LDAP://OU=TestOU,DC=TestDomain,DC=local");

        for (int i = 0; i < 10; i++)
        {
            try
            {
                DirectoryEntry childEntry = ouEntry.Children.Add("CN=TestUser" + i,  "user");
                childEntry.CommitChanges();
                ouEntry.CommitChanges();
                childEntry.Invoke("SetPassword", new object[] { "password" });
                childEntry.CommitChanges();
            }
            catch (Exception ex)
            {

            }
        }

#4

1  

Try with this code.

试试这个代码。

DirectoryEntry ouEntry = new DirectoryEntry("LDAP://OU=TestOU,DC=TestDomain,DC=local");

for (int i = 0; i < 10; i++)
{
    try
    {
        DirectoryEntry childEntry = ouEntry.Children.Add("CN=TestUser" + i,  "user");
        childEntry.CommitChanges();
        ouEntry.CommitChanges();
        childEntry.Invoke("SetPassword", new object[] { "password" });
        childEntry.CommitChanges();
    }
    catch (Exception ex)
    {

    }
}

#1

29  

You can do this whole process much easier now with System.DirectoryServices.AccountManagement (long as you're on .Net 3.5):

使用System.DirectoryServices.AccountManagement,您可以更轻松地完成整个过程(只要您使用.Net 3.5):

See here for a full rundown

请参阅此处了解完整的纲要

Here's a quick example of your specific case:

以下是您具体案例的快速示例:

using(var pc = new PrincipalContext(ContextType.Domain))
{
  using(var up = new UserPrincipal(pc))
  {
    up.SamAccountName = username;
    up.EmailAddress = email;
    up.SetPassword(password);
    up.Enabled = true;
    up.ExpirePasswordNow();
    up.Save();
  }
}

#2

4  

I'd use @Nick's code (wrapped in using statements so the context and principal are disposed properly). As for privileges, you'll need to at least have enough privileges on the OU where you are creating the user to create and manage objects. I'd create a specific user under which your program will run and give it just enough privileges to do the tasks that it needs in that specific OU and no more.

我使用@ Nick的代码(包含在using语句中,以便正确处理上下文和主体)。至于权限,您至少需要在创建用户的OU上拥有足够的权限来创建和管理对象。我将创建一个特定的用户,您的程序将在该用户下运行,并为其提供足够的权限,以便在该特定OU中执行所需的任务,而不再需要。

#3

3  

Yes can also use below code to create bulk of users

是也可以使用下面的代码来创建大量用户

DirectoryEntry ouEntry = new DirectoryEntry("LDAP://OU=TestOU,DC=TestDomain,DC=local");

        for (int i = 0; i < 10; i++)
        {
            try
            {
                DirectoryEntry childEntry = ouEntry.Children.Add("CN=TestUser" + i,  "user");
                childEntry.CommitChanges();
                ouEntry.CommitChanges();
                childEntry.Invoke("SetPassword", new object[] { "password" });
                childEntry.CommitChanges();
            }
            catch (Exception ex)
            {

            }
        }

#4

1  

Try with this code.

试试这个代码。

DirectoryEntry ouEntry = new DirectoryEntry("LDAP://OU=TestOU,DC=TestDomain,DC=local");

for (int i = 0; i < 10; i++)
{
    try
    {
        DirectoryEntry childEntry = ouEntry.Children.Add("CN=TestUser" + i,  "user");
        childEntry.CommitChanges();
        ouEntry.CommitChanges();
        childEntry.Invoke("SetPassword", new object[] { "password" });
        childEntry.CommitChanges();
    }
    catch (Exception ex)
    {

    }
}
标签:

相关文章