System.DirectoryServices.AccountManagement
Performs bytewise comparison of two byte[] arrays
Array to compare
Array to compare against src
true if identical, false otherwise
Validate the passed credentials against the directory supplied.
This function will use the best determined method to do the evaluation.
Validate the passed credentials against the directory supplied.
The supplied options will determine the directory method for credential validation.
if isSmallGroup has a value, it means we already checked if the group is small
cache the search result for the member attribute
it will only be set for small groups!
Finds if the group is "small", meaning that it has less than MaxValRange values (usually 1500)
The property list for the searcher of a group has "member" attribute. if there are more results than MaxValRange, there will also be a "member;range=..." attribute
we can cache the result and don't fear from changes through Add/Remove/Save because the completed/pending lists are looked up before the actual values are
Result validator - Delegate function signature.
The result validator should return true if the result is valid
and false if the result is invalid and needs to be skipped.
Directory entry object of the result.
NOTE: ADDNLinkedAttrSet class is responsible for disposing this DirectoryEntry object.
True - if the result is valid (further processing with the result will happen in this case)
False - If the result is invalid. In this case the result will skipped.
If The enabled property was set on the principal then perform actions
necessary on the principal to set the enabled status to match
the set value.
Read the Account Control From the Directory entry. If the control is read then set or
clear bit 0x2 corresponding to the enable parameter
Principal to modify
New state of the enable bit
Apply all changed properties on the principal to the Directory Entry.
Reset the changed status on all the properties
Principal to update
Delete the directory entry that corresponds to the principal
Principal to delete
This method sets the default user account control bits for the new principal
being created in this account store.
Principal to set the user account control bits for
Determine if principal account is locked.
First read User-Account-control-computed from the DE. On Uplevel platforms this computed attribute will exist and we can
just check bit 0x0010. On DL platforms this attribute does not exist so we must read lockoutTime and return locked if
this is greater than 0
Principal to check status
true is account is locked, false if not
Unlock account by setting LockoutTime to 0
Principal to unlock
Set the password on the principal. This function requires administrator privileges
Principal to modify
New password
Change the password on the principal
Principal to modify
Current password
New password
Expire password by setting pwdLastSet to 0
Unexpire password by setting pwdLastSet to -1
Set value for attribute on the passed principal. This is only valid for integer attribute types
First check direct group membership by using DE.IsMember
If this fails then we may have a ForeignSecurityPrincipal so search for Foreign Security Principals
With the p's SID and then call IsMember with the ADS Path returned from the search.
Returns the DN of the Partition to which the user supplied
context base (this.ctxBase) belongs.
Adds the specified Property set to the TypeToPropListMap data structure.
This Calls the Native API to Escape the DN
Escaped DN
Returns true if the specified SIDs are from the same domain.
Otherwise return false.
Returns true if the specified SIDs are from the same domain.
Otherwise return false
This is a class designed to cache DirectoryEntries instead of creating them every time.
Retrieves all the values of the specified attribute using the supplied DirectoryEntry object.
This function would additionally dispose the supplied DirectoryEntry object in its Dispose() method
if disposeDirEntry parameter is set to true in its constructor.
Creates a new RangeRetriever object.
DirectoryEntry object whose attribute needs to be range retrieved
name of the attribute that needs to be range retrieved, ex: "memberOf"
If set to true, the supplied DirectoryEntry will be disposed,
by this object's Dispose() method
If set to true then the attribute values will be cached in the InnerList
By default caching is turned off.
Change the password on the principal
Principal to modify
Current password
New password
This method sets the default user account control bits for the new principal
being created in this account store.
Principal to set the user account control bits for
This method sets the default user account control bits for the new principal
being created in this account store.
Principal to set the user account control bits for
The domain's wellKnownObjects attribute does not contain values for the well-known users and/or computers containers.
A container cannot be specified when using the Machine context.
A container and name must be specified when using the Application Directory context.
The user name and password must either both be null or both must be non-null.
This store does not support this method.
Principals in this version of the store do not support the property '{0}'.
Principal objects of type {0} in this type of store do not support the property '{1}'.
A PrincipalContext must first be assigned to an unpersisted Principal object before the Principal can be saved.
A PrincipalContext must first be assigned to an unpersisted Principal object before the type of the underlying object can be retrieved.
A PrincipalContext must first be assigned to the unpersisted Principal object before this property can be accessed.
Unpersisted Principal objects can not be deleted.
Cannot access an already deleted object
This Principal object represents a well-known SID and does not correspond to an actual store object. This operation is not supported on it.
The Principal object must be persisted before this method can be called.
Persisted Principal objects cannot be used as query filters.
A QueryFilter must first be assigned to the PrincipalSearcher before the query can be performed.
There is no underlying searcher for the type of store associated with the PrincipalContext.
Only non-referential properties (properties which do not contain or refer to Principal objects) can be used in the query filter. The Principal object specified as the query filter has referential properties set.
The enumerator is positioned before the first element of the collection or after the last element.
The destination array must be one-dimensional.
The specified index is greater than or equal to than the length of the destination array.
The number of elements to copy is greater than the available space in the destination array.
The collection was modified after the enumerator was created.
The enumerator is positioned before the first element of the collection or after the last element.
Multiple principals contain a matching Identity.
No principal matching the specified parameters was found.
No group matching the specified parameters was found.
The principal already exists in the store.
The destination array must be one-dimensional.
The specified index is greater than or equal to than the length of the destination array.
The number of elements to copy is greater than the available space in the destination array.
The collection was modified after the enumerator was created.
The enumerator is positioned before the first element of the collection or after the last element.
The subtype parameter must be either AuthenticablePrincipal or a subtype of AuthenticablePrincipal.
The ChangePassword method can not be called on an unpersisted Principal object.
A PrincipalContext must first be assigned to the unpersisted User object before this method can be called.
The User object for the current user could not be found. You may not have access to it.
Information about the domain could not be retrieved ({0}).
The thread or process token could not be accessed ({0}).
Information from the thread token could not be retrieved ({0}).
This computer's policy information could not be retrieved ({0}).
The supplied credentials could not be impersonated.
Principal objects of type {0} can not be saved in this store.
Principal objects of type {0} can not be inserted into groups in this store
Principal objects of type {0} can not be used in a query against this store.
The property '{0}' can not be used in a query against this store.
This IdentityType can not be used in a query against this store.
The IdentityClaim to use in the query must have a UrnScheme specified.
The SID is not in a valid format.
The GUID is not in a valid format.
The samAccountName IdentityType must be in the form "domainname\\userName", "machinename\\userName", or "userName".
The Group object can not be saved until the unpersisted Principal object in its Members property is either saved or removed from the collection.
The Principal object must have a valid SID IdentityType in order to perform this operation.
Only domain Principal objects can be inserted into groups in this store.
The SID for one of the Principal objects to be inserted into the group could not be retrieved from the store.
Domain PrincipalContext objects must be rooted at a directory entry that is a container.
While trying to resolve a cross-store reference, the objectSid could not be retrieved from the representation of the target principal.
While trying to resolve a cross-store reference, the SID of the target principal could not be resolved. The error code is {0}.
While trying to resolve a cross-store reference, the target principal could not be found in the domain indicated by the principal's SID.
The principal could not be enabled because the existing account control flags could not be read.
The principal could not be updated because the existing account control flags could not be read.
The group could not be updated because the existing group type flags could not be read.
The Group object's Members property can not be cleared because one or more of the group's members have this group as their primary group.
The member can not be removed from the Group object's Members property because it has this group as its primary group.
Password change operation is not supported for Computer accounts in this store.
The operating system version of the target computer could not be retrieved.
The name of the target computer could not be retrieved.
The flat name of the target computer could not be retrieved ({0}).
Computer accounts in this store can not have their passwords reset or changed.
Computer accounts in this store can not have their passwords expired.
One of the Principal objects to be inserted into or removed from the group's membership does not contain a SID.
An error ({0}) occurred while trying to clear the group membership.
While trying to resolve a cross-store reference, the objectSid could not be retrieved from the representation of the target principal.
While trying to resolve a cross-store reference, the SID of the target principal could not be resolved. The error code is {0}.
While trying to resolve a cross-store reference, the target principal could not be found in the domain indicated by the principal's SID.
An error ({0}) occurred while enumerating the group membership. The member's SID could not be resolved.
Only local groups are supported by this store.
While trying to retrieve the authorization groups, an error ({0}) occurred.
Retrieval of authorization groups is not supported by this platform.
An error ({0}) occurred while enumerating the groups. The group's SID could not be resolved.
An error occurred while enumerating the groups. The group could not be found.
The options value is invalid. The Machine store only supports Negotiate.
The supplied context type does not match the server contacted. The server type is {0}.
The supplied arguments cannot be null.
Empty string is not supported by the property {0} for this store type.
The server could not be contacted.
Property is not valid for this store type.
SamAccountName or Name must be assigned to a newly-created Principal object in this store prior to saving.
Extension class must define a constructor that accepts a PrincipalContext argument.
Extension class must set DirectoryObjectClassAttribute and DirectoryRdnPrefixAttribute.
The target context must have the same type as the object's current context.
The ComputerPrincipal object is not supported by the ApplicationDirectory store.
Saving to an alternate context is not supported by the Machine store.
The ContextOptions passed are invalid for the Machine store. Only ContextOptions.Negotiate is supported.
The ContextOptions passed are invalid for this store type. Either Negotiate or SimpleBind must be specified and they cannot be combined.
Collections whose elements are another collection cannot be set by ExtensionClasses.
The store is unable to populate a list of bindable object types. Check access to the Schema container.
Multiple filters on the property {0} are not supported.
Active Directory Client is not installed on this computer.
System.DirectoryServices.AccountManagement is not supported on this platform.
Blittable version of Windows BOOL type. It is convenient in situations where
manual marshalling is required, or to avoid overhead of regular bool marshalling.
Some Windows APIs return arbitrary integer values although the return type is defined
as BOOL. It is best to never compare BOOL to TRUE. Always use bResult != BOOL.FALSE
or bResult == BOOL.FALSE .
Blittable version of Windows BOOLEAN type. It is convenient in situations where
manual marshalling is required, or to avoid overhead of regular bool marshalling.
Some Windows APIs return arbitrary integer values although the return type is defined
as BOOLEAN. It is best to never compare BOOLEAN to TRUE. Always use bResult != BOOLEAN.FALSE
or bResult == BOOLEAN.FALSE .
OBJECT_ATTRIBUTES structure.
The OBJECT_ATTRIBUTES structure specifies attributes that can be applied to objects or object handles by routines
that create objects and/or return handles to objects.
Optional handle to root object directory for the given ObjectName.
Can be a file system directory or object manager directory.
Name of the object. Must be fully qualified if RootDirectory isn't set.
Otherwise is relative to RootDirectory.
If null, object will receive default security settings.
Optional quality of service to be applied to the object. Used to indicate
security impersonation level and context tracking mode (dynamic or static).
Equivalent of InitializeObjectAttributes macro with the exception that you can directly set SQOS.
This handle can be inherited by child processes of the current process.
This flag only applies to objects that are named within the object manager.
By default, such objects are deleted when all open handles to them are closed.
If this flag is specified, the object is not deleted when all open handles are closed.
Only a single handle can be open for this object.
Lookups for this object should be case insensitive.
Create on existing object should open, not fail with STATUS_OBJECT_NAME_COLLISION.
Open the symbolic link, not its target.
SECURITY_QUALITY_OF_SERVICE structure.
Used to support client impersonation. Client specifies this to a server to allow
it to impersonate the client.
SECURITY_IMPERSONATION_LEVEL enumeration values.
[SECURITY_IMPERSONATION_LEVEL]
The server process cannot obtain identification information about the client and cannot impersonate the client.
[SecurityAnonymous]
The server process can obtain identification information about the client, but cannot impersonate the client.
[SecurityIdentification]
The server process can impersonate the client's security context on it's local system.
[SecurityImpersonation]
The server process can impersonate the client's security context on remote systems.
[SecurityDelegation]
SECURITY_CONTEXT_TRACKING_MODE
The server is given a snapshot of the client's security context.
[SECURITY_STATIC_TRACKING]
The server is continually updated with changes.
[SECURITY_DYNAMIC_TRACKING]
Length in bytes, not including the null terminator, if any.
Max size of the buffer in bytes
TOKEN_INFORMATION_CLASS enumeration.