Acitve Directory lockoutDuration

Discussion in 'Active Directory' started by Ollie, Aug 24, 2004.

  1. Ollie

    Ollie Guest

    I have defined the 'Account Lockout Policy' values to be 30 minutes
    (duration & reset) in the Default Domain Security Settings in control panel
    (Domain Security Policy) of a windows 2003 machine.

    I am attempt to reading the 'lockoutDuration' programmatically using C#
    (.Net), the code is shown below:

    string nameContext = "XXXXXXXXXXX";
    System.DirectoryServices.DirectorySearcher dirSearcher = new
    System.DirectoryServices.DirectorySearcher(nameContext);
    dirSearcher.PropertiesToLoad.Add("lockoutDuration");

    System.DirectoryServices.DirectoryEntry dirEntry = dirSearcher.SearchRoot;

    IADsLargeInteger int64Val =
    (IADsLargeInteger)dirEntry.Properties["lockoutDuration"].Value;
    System.Int64 largeInt = int64Val .HighPart * 0x100000000 + int64Val.LowPart;

    System.TimeSpan ts = new TimeSpan(largeInt);
    result = ts.Minutes;

    The problem is the value returned is -37 minutes !!!!

    So I guess I have made a mistake somewhere, can anyone spot it?

    Cheers in advance

    Ollie
     
    Ollie, Aug 24, 2004
    #1
    1. Advertisements

  2. The negative value is correct, it is delta from the current time.

    The 7 means there is some sort of error in the math somewhere. I don't do NET so
    not sure where that could be, hopefully joek will be along shortly with the
    answer there. If you just want to work with it it should be that you should be
    getting

    -18000000000

    for the lockoutDuration value.

    Divide that by 600000000 and you have your delta in minutes, -30.

    joe
     
    Joe Richards [MVP], Aug 24, 2004
    #2
    1. Advertisements

  3. I think that example might be wrong. The problem is that even though
    LowPart is typed as an Int32, it really needs to be a UInt32 since if if the
    high bit is set, it will be treated as a negative number and the addition
    will not give the expected result.

    The easiest way to do this is to just use the DirectorySearcher directly
    doing a base level search on the domain root. The DirectorySearcher
    properly converts the value to an Int64 for you.

    Joe K.
     
    Joe Kaplan \(MVP - ADSI\), Aug 24, 2004
    #3
  4. Ollie

    Ollie Guest

    cheers for the info Joe

    Ollie

     
    Ollie, Aug 24, 2004
    #4
  5. Ollie

    Ollie Guest

    cheers for the info Joe

    Ollie

     
    Ollie, Aug 24, 2004
    #5
  6. Ollie

    kailas

    Joined:
    Feb 7, 2012
    Messages:
    1
    Likes Received:
    0
    update the lockoutDuration programatically

    Hi,

    How we can set the value for lockoutDuration using c#?

    Thanks in Advance,

    Kailas.
     
    kailas, Feb 7, 2012
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.