Acitve Directory lockoutDuration

I have defined the 'Account Lockout Policy' values to be 30 minutes
(duration & reset) in the Default Domain Security Settings in control panel
(Domain Security Policy) of a windows 2003 machine.

I am attempt to reading the 'lockoutDuration' programmatically using C#
(.Net), the code is shown below:

string nameContext = "XXXXXXXXXXX";
System.DirectoryServices.DirectorySearcher dirSearcher = new
System.DirectoryServices.DirectorySearcher(nameCon text);
dirSearcher.PropertiesToLoad.Add("lockoutDuration" );

System.DirectoryServices.DirectoryEntry dirEntry = dirSearcher.SearchRoot;

IADsLargeInteger int64Val =
(IADsLargeInteger)dirEntry.Properties["lockoutDuration"].Value;
System.Int64 largeInt = int64Val .HighPart * 0x100000000 + int64Val.LowPart;

System.TimeSpan ts = new TimeSpan(largeInt);
result = ts.Minutes;

The problem is the value returned is -37 minutes !!!!

So I guess I have made a mistake somewhere, can anyone spot it?

Cheers in advance

Ollie

The negative value is correct, it is delta from the current time.

The 7 means there is some sort of error in the math somewhere. I don't do NET so
not sure where that could be, hopefully joek will be along shortly with the
answer there. If you just want to work with it it should be that you should be
getting

-18000000000

for the lockoutDuration value.

Divide that by 600000000 and you have your delta in minutes, -30.

joe



--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net



Ollie wrote:
> I have defined the 'Account Lockout Policy' values to be 30 minutes
> (duration & reset) in the Default Domain Security Settings in control panel
> (Domain Security Policy) of a windows 2003 machine.
>
> I am attempt to reading the 'lockoutDuration' programmatically using C#
> (.Net), the code is shown below:
>
> string nameContext = "XXXXXXXXXXX";
> System.DirectoryServices.DirectorySearcher dirSearcher = new
> System.DirectoryServices.DirectorySearcher(nameCon text);
> dirSearcher.PropertiesToLoad.Add("lockoutDuration" );
>
> System.DirectoryServices.DirectoryEntry dirEntry = dirSearcher.SearchRoot;
>
> IADsLargeInteger int64Val =
> (IADsLargeInteger)dirEntry.Properties["lockoutDuration"].Value;
> System.Int64 largeInt = int64Val .HighPart * 0x100000000 + int64Val.LowPart;
>
> System.TimeSpan ts = new TimeSpan(largeInt);
> result = ts.Minutes;
>
> The problem is the value returned is -37 minutes !!!!
>
> So I guess I have made a mistake somewhere, can anyone spot it?
>
> Cheers in advance
>
> Ollie
>
>

I think that example might be wrong. The problem is that even though
LowPart is typed as an Int32, it really needs to be a UInt32 since if if the
high bit is set, it will be treated as a negative number and the addition
will not give the expected result.

The easiest way to do this is to just use the DirectorySearcher directly
doing a base level search on the domain root. The DirectorySearcher
properly converts the value to an Int64 for you.

Joe K.

"Ollie" <> wrote in message
news:...
> I have defined the 'Account Lockout Policy' values to be 30 minutes
> (duration & reset) in the Default Domain Security Settings in control
panel
> (Domain Security Policy) of a windows 2003 machine.
>
> I am attempt to reading the 'lockoutDuration' programmatically using C#
> (.Net), the code is shown below:
>
> string nameContext = "XXXXXXXXXXX";
> System.DirectoryServices.DirectorySearcher dirSearcher = new
> System.DirectoryServices.DirectorySearcher(nameCon text);
> dirSearcher.PropertiesToLoad.Add("lockoutDuration" );
>
> System.DirectoryServices.DirectoryEntry dirEntry = dirSearcher.SearchRoot;
>
> IADsLargeInteger int64Val =
> (IADsLargeInteger)dirEntry.Properties["lockoutDuration"].Value;
> System.Int64 largeInt = int64Val .HighPart * 0x100000000 +
int64Val.LowPart;
>
> System.TimeSpan ts = new TimeSpan(largeInt);
> result = ts.Minutes;
>
> The problem is the value returned is -37 minutes !!!!
>
> So I guess I have made a mistake somewhere, can anyone spot it?
>
> Cheers in advance
>
> Ollie
>
>

cheers for the info Joe

Ollie

"Joe Kaplan (MVP - ADSI)" <> wrote
in message news:%...
> I think that example might be wrong. The problem is that even though
> LowPart is typed as an Int32, it really needs to be a UInt32 since if if
the
> high bit is set, it will be treated as a negative number and the addition
> will not give the expected result.
>
> The easiest way to do this is to just use the DirectorySearcher directly
> doing a base level search on the domain root. The DirectorySearcher
> properly converts the value to an Int64 for you.
>
> Joe K.
>
> "Ollie" <> wrote in message
> news:...
> > I have defined the 'Account Lockout Policy' values to be 30 minutes
> > (duration & reset) in the Default Domain Security Settings in control
> panel
> > (Domain Security Policy) of a windows 2003 machine.
> >
> > I am attempt to reading the 'lockoutDuration' programmatically using C#
> > (.Net), the code is shown below:
> >
> > string nameContext = "XXXXXXXXXXX";
> > System.DirectoryServices.DirectorySearcher dirSearcher = new
> > System.DirectoryServices.DirectorySearcher(nameCon text);
> > dirSearcher.PropertiesToLoad.Add("lockoutDuration" );
> >
> > System.DirectoryServices.DirectoryEntry dirEntry =
dirSearcher.SearchRoot;
> >
> > IADsLargeInteger int64Val =
> > (IADsLargeInteger)dirEntry.Properties["lockoutDuration"].Value;
> > System.Int64 largeInt = int64Val .HighPart * 0x100000000 +
> int64Val.LowPart;
> >
> > System.TimeSpan ts = new TimeSpan(largeInt);
> > result = ts.Minutes;
> >
> > The problem is the value returned is -37 minutes !!!!
> >
> > So I guess I have made a mistake somewhere, can anyone spot it?
> >
> > Cheers in advance
> >
> > Ollie
> >
> >
>
>

cheers for the info Joe

Ollie

"Joe Richards [MVP]" <> wrote in message
news:...
> The negative value is correct, it is delta from the current time.
>
> The 7 means there is some sort of error in the math somewhere. I don't do
NET so
> not sure where that could be, hopefully joek will be along shortly with
the
> answer there. If you just want to work with it it should be that you
should be
> getting
>
> -18000000000
>
> for the lockoutDuration value.
>
> Divide that by 600000000 and you have your delta in minutes, -30.
>
> joe
>
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
>
> Ollie wrote:
> > I have defined the 'Account Lockout Policy' values to be 30 minutes
> > (duration & reset) in the Default Domain Security Settings in control
panel
> > (Domain Security Policy) of a windows 2003 machine.
> >
> > I am attempt to reading the 'lockoutDuration' programmatically using C#
> > (.Net), the code is shown below:
> >
> > string nameContext = "XXXXXXXXXXX";
> > System.DirectoryServices.DirectorySearcher dirSearcher = new
> > System.DirectoryServices.DirectorySearcher(nameCon text);
> > dirSearcher.PropertiesToLoad.Add("lockoutDuration" );
> >
> > System.DirectoryServices.DirectoryEntry dirEntry =
dirSearcher.SearchRoot;
> >
> > IADsLargeInteger int64Val =
> > (IADsLargeInteger)dirEntry.Properties["lockoutDuration"].Value;
> > System.Int64 largeInt = int64Val .HighPart * 0x100000000 +
int64Val.LowPart;
> >
> > System.TimeSpan ts = new TimeSpan(largeInt);
> > result = ts.Minutes;
> >
> > The problem is the value returned is -37 minutes !!!!
> >
> > So I guess I have made a mistake somewhere, can anyone spot it?
> >
> > Cheers in advance
> >
> > Ollie
> >
> >

Hi,

How we can set the value for lockoutDuration using c#?

Thanks in Advance,

Kailas.