namespace ActiveDirectoryHelper
{
#region Using directives.
// ---------------------------------------------------------------------- using System;
using System.Security.Principal;
using System.Runtime.InteropServices;
using System.ComponentModel; // ----------------------------------------------------------------------
#endregion ///////////////////////////////////////////////////////////////////////// /// <summary>
/// Impersonation of a user. Allows to execute code under another
/// user context.
/// Please note that the account that instantiates the Impersonator class
/// needs to have the 'Act as part of operating system' privilege set.
/// </summary>
/// <res>
/// This class is based on the information in the Microsoft knowledge base
/// article http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306158
///
/// Encapsulate an instance into a using-directive like e.g.:
///
/// ...
/// using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) )
/// {
/// ...
/// [code that executes under the new context]
/// ...
/// }
/// ...
///
/// Please contact the author Uwe Keim (mailto:[email protected])
/// for questions regarding this class.
/// </res>
public class Impersonator :
IDisposable
{
#region Public methods.
// ------------------------------------------------------------------ /// <summary>
/// Constructor. Starts the impersonation with the given credentials.
/// Please note that the account that instantiates the Impersonator class
/// needs to have the 'Act as part of operating system' privilege set.
/// </summary>
/// <param name="userName">The name of the user to act as.</param>
/// <param name="domainName">The domain name of the user to act as.</param>
/// <param name="password">The password of the user to act as.</param>
public Impersonator(
string userName,
string domainName,
string password)
{
ImpersonateValidUser(userName, domainName, password);
} // ------------------------------------------------------------------
#endregion #region IDisposable member.
// ------------------------------------------------------------------ public void Dispose()
{
UndoImpersonation();
} // ------------------------------------------------------------------
#endregion #region P/Invoke.
// ------------------------------------------------------------------ [DllImport("advapi32.dll", SetLastError = true)]
private static extern int LogonUser(
string lpszUserName,
string lpszDomain,
string lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken); [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern int DuplicateToken(
IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken); [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool RevertToSelf(); [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
private static extern bool CloseHandle(
IntPtr handle); private const int LOGON32_LOGON_INTERACTIVE = 2;
private const int LOGON32_PROVIDER_DEFAULT = 0; // ------------------------------------------------------------------
#endregion #region Private member.
// ------------------------------------------------------------------ /// <summary>
/// Does the actual impersonation.
/// </summary>
/// <param name="userName">The name of the user to act as.</param>
/// <param name="domainName">The domain name of the user to act as.</param>
/// <param name="password">The password of the user to act as.</param>
private void ImpersonateValidUser(
string userName,
string domain,
string password)
{
WindowsIdentity tempWindowsIdentity = null;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero; try
{
if (RevertToSelf())
{
if (LogonUser(
userName,
domain,
password,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
ref token) != 0)
{
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
finally
{
if (token != IntPtr.Zero)
{
CloseHandle(token);
}
if (tokenDuplicate != IntPtr.Zero)
{
CloseHandle(tokenDuplicate);
}
}
} /// <summary>
/// Reverts the impersonation.
/// </summary>
private void UndoImpersonation()
{
if (impersonationContext != null)
{
impersonationContext.Undo();
}
} private WindowsImpersonationContext impersonationContext = null; // ------------------------------------------------------------------
#endregion
} /////////////////////////////////////////////////////////////////////////
}
protected void Button1_Click(object sender, EventArgs e)
{
string sOuGuid = Request["guid"];
string samAccountName = txtAccountName.Text;
string sSn = txtSname.Text;
string sGivenName = txtGivenName.Text;
string sDisplayName = txtDisplayName.Text;
string sPassword = txtPwd.Text;
string sWorkstation = txtWorkstations.Text;
using (Impersonator im = new Impersonator("liut", "contoso", "abc@1234"))
{
string NewUserPath, eMsg;
DirectoryEntry odeUser = Adman.CreateNewUser(samAccountName, sOuGuid, sPassword, sDisplayName, out eMsg);
if (eMsg == "OK")
{
WindowsIdentity winId = WindowsIdentity.GetCurrent();
//odeUser.Username = "administrator";
odeUser.Invoke("SetPassword", sPassword);
//Adman.SetUserPassword(odeUser, sPassword);
//Adman.EnableUserAccount(NewUserPath); DirectoryEntry ode = odeUser;
//DirectoryEntry ode = Adman.GetUser(NewUserPath);
//ode.Rename("CN=" + txtDisplayName.Text);
Adman.SetProperty(ode, "sAMAccountName", txtAccountName.Text);
Adman.SetProperty(ode, "sn", txtSname.Text);
Adman.SetProperty(ode, "givenName", txtGivenName.Text);
Adman.SetProperty(ode, "displayName", txtDisplayName.Text);
Adman.SetProperty(ode, "userWorkstations", txtWorkstations.Text);
txtPwd.Enabled = false;
txtPwd2.Enabled = false;
txtAccountName.Enabled = false;
txtSname.Enabled = false;
txtGivenName.Enabled = false;
txtDisplayName.Enabled = false;
txtWorkstations.Enabled = false;
Button1.Enabled = false;
Page.ClientScript.RegisterStartupScript(this.GetType(), "alert", "<script>alert('操作成功!');</script>");
}
else
{
Page.ClientScript.RegisterStartupScript(this.GetType(), "alert",
"<script>alert('操作失败:" + eMsg + "');</script>");
}
}
}public string SetPassword(string path, string sPassword)
{
try
{
using (new Impersonator("administrator", "contoso", "p@ssw0rd"))
{ DirectoryEntry usr = new DirectoryEntry();
usr.Path = path;
usr.AuthenticationType = AuthenticationTypes.Secure;
object ret = usr.Invoke("SetPassword", sPassword); usr.CommitChanges();
usr.Close();
return "SUCCESS"; } }
catch (Exception exc)
{
string ErrMsg = exc.Message + exc.StackTrace + path;
return ErrMsg;
}
}第一段代码是用来模拟账户的
第二段代码是创建一个用户
第三段代码是直接修改一个用户的密码,第三段代码可以,但是第二段修改密码就会提示错误,拒绝访问,相同的模拟账户方法,怎么第二段代码就失败了呢。
解决方案 »
- asp.net获取到的英文字母,变小写
- 请人帮我写Repeater绑写XML数据源代码,xml我提供
- gridview的绑定Textbox的使用
- pulldown 可以输入 怎么处理
- 图像热点(<map>标签)内的<area coords="211,46,275,113">这样的,是相对位置还是绝对位置呢?
- 怎么样把服务器上数据库里面的表下载到本地
- 急!!!调试2005时(C#)关联的不是IE.而是短路径的FIREFOX.EXE.详细内见
- 零零五和高手来!我怎么比较两个字符串(没分了)
- 那位仁兄可以帮我注释一下?
- 昨天问过了,还有点小问题
- 当button按钮的enable=false时,如何禁用按钮的onClientScript="return confirm('是否确认删除')"
- DropDownList下拉表不能选。总调回第一个
这个做法太危险了,还是别这么设计的好。