This project has moved and is read-only. For the latest updates, please go here.

Filtering Disabled AD Accounts

Apr 6, 2009 at 10:12 AM
Edited Apr 6, 2009 at 10:13 AM
I had an issue where some users were not showing in AD groups and this turned out to be the UserPrincipalName being blank.

Having fixed this I'm onto my next issue which is filtering out disabled AD accounts.
When staff leave thier accounts are kept for audit purposes but are just disabled.
This has led to huge listings in the drop down boxes.

I can't find the UserAccountControl property in the p. collection available in the security code, nor where this is populated from.

Can you point me in the right direction.

Thanks

Gareth
Apr 6, 2009 at 7:57 PM
Honestly, it sounds like you are troubleshooting the wrong problem. 

The simplest, and most reliable solution is to create new AD groups, put just the members that need access to ticketdesk in those groups, then tell ticketdesk to use those. It is far simpler, and will increase performance of TicketDesk quite a lot too. 

Querying AD is a complete pain, and to be honest it is so poorly documented that I usually avoid it like the plague. AD has got to be the worst database ever invented by mankind. Not only is it next to impossible to deal with the complexity, it also performs like a dog. 

That said, you could probably do what you want to do in the GetCachedAdUsersForGroup method of the SecurityManager (on or around line 270). Sadly, I don't have resources to test this out for you, but it is possible that the Principal object being returned there can be cast to UserPrincipal, which would have the properties you'd need to decide if the account was enabled or what not... but I'm not sure if it will cast or not. 

If the object can't be cast, then the only other solution I could think of would be to loop through each member in the group and call GetAdUserProperty to get the info you need about each specific account. That will work, but probably be so slow that you start getting timeout errors.

You could also look into using full membership and role providers for AD. The built-in proviers didn't quite fit the requriments I had in mind for TicketDesk, which is why I used a simiplistic direct query mechanism instead, but there are some 3rd party AD providers that you could try out. I had good luck with this one over at CodeProject in another application: AD Roles Provider