我在 2008 R2 上使用 C# 创建了具有sAMAccountName和 的帐户。我可以使用(或明确地)user principal name登录,但不能使用。sAMAccountNameDOMAIN\sAMAccountNameUPN
另一个手动创建的帐户可以与 UPN 或 sAMAccountName 配合使用。
private static SecurityIdentifier everyoneSid = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
private static SecurityIdentifier selfSid = new SecurityIdentifier(WellKnownSidType.SelfSid, null);
private static Guid changePasswordGuid = new Guid("{AB721A53-1E2F-11D0-9819-00AA0040529B}");
private static ActiveDirectoryAccessRule allowEveryone = new ActiveDirectoryAccessRule(everyoneSid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, changePasswordGuid);
private static ActiveDirectoryAccessRule allowSelf = new ActiveDirectoryAccessRule(selfSid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, changePasswordGuid);
private static ActiveDirectoryAccessRule denyEveryone = new ActiveDirectoryAccessRule(everyoneSid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, changePasswordGuid);
private static ActiveDirectoryAccessRule denySelf = new ActiveDirectoryAccessRule(selfSid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, changePasswordGuid);
public static void CreateUserAccount(string title, string firstName, string lastName, string samaccountname, string login, string password, string uid, string description, bool pupil)
{
string oGUID = string.Empty;
string ldapPath = "LDAP://OU=Pupils,DC=domain,DC=foo";
using (DirectoryEntry dirEntry = new DirectoryEntry(ldapPath))
using (DirectoryEntry newUser = dirEntry.Children.Add(string.Format("CN={0} {1} {2}", lastName, firstName, uid), "user"))
{
newUser.Properties["sAMAccountName"].Value = uid;
newUser.Properties["userPrincipalName"].Value = login + "@" + Domain.GetCurrentDomain();
newUser.Properties["description"].Value = "Pupil";
newUser.Properties["personalTitle"].Value = title;
newUser.Properties["givenName"].Value = firstName;
newUser.Properties["sn"].Value = lastName;
newUser.Properties["displayName"].Value = string.Format("{0} {1}", firstName, lastName);
newUser.Properties["employeeID"].Value = uid;
newUser.Properties["employeeType"].Value = "Pupil";
newUser.Properties["employeeNumber"].Value = password;
newUser.Properties["businessCategory"].Value = "Test";
newUser.CommitChanges();
oGUID = newUser.Guid.ToString();
newUser.Properties["userAccountControl"].Value = ADS_UF_NORMAL_ACCOUNT | ADS_UF_DONT_EXPIRE_PASSWD;
ActiveDirectorySecurity userSecurity = newUser.ObjectSecurity;
// Remove any existing rule that gives "everyone" the change password right.
userSecurity.RemoveAccessRuleSpecific(allowEveryone);
// Add a new access rule to deny "everyone" the change password right.
userSecurity.AddAccessRule(denyEveryone);
// Remove any existing rule that gives "self" the change password right.
userSecurity.RemoveAccessRuleSpecific(allowSelf);
// Add a new access rule to deny "self" the change password right.
userSecurity.AddAccessRule(denySelf);
newUser.Invoke("SetPassword", new object[] { password });
newUser.CommitChanges();
}
}
答案1
默认情况下,用户可以使用他们的 UPN 登录,但我不知道如何禁用此功能。
通常当我看到此问题时,实际发生的原因是服务器由于某种原因无法联系 DC,并且正在使用缓存的凭据。缓存机制不是很智能,并将输入的用户名匹配为字符串,因此之前输入不合格帐户名的用户可以继续这样做,但如果他们尝试使其合格,他们将登录失败。
如果没有发生这种情况,则您的 DC 可能存在某种问题,但如果没有收到实际错误(并且可能没有查看系统上的事件日志和服务登录的 DC),则无法说清楚。