C#读取AD域里用户名或组/ADHelp.cs

﻿using System;
using System.Collections.Generic;
using System.Text;
using System.DirectoryServices;
using System.Security.Principal;
using System.Runtime.InteropServices;
//Download by http://www.codefans.net
namespace UserDLL
{
    sealed class ADHelper
    {
        #region 私有变量
        /// <summary>
        /// homeMTA
        /// </summary>
        private static string homeMTA = ""; //请填写自己的环境变量
        /// <summary>
        /// homeMDB
        /// </summary>
        private static string homeMDB = ""; //请填写自己的环境变量
        /// <summary>
        /// msExchHomeServerName
        /// </summary>
        private static string msExchHomeServerName = ""; //请填写自己的环境变量

        ///<summary>
        /// 域名
        ///</summary>
        //private static string DomainName = "td-tech.net";  //实际
        private static string DomainName = "contoso.com";    //测试用
        /// <summary>
        /// LDAP 地址
        /// </summary>
        private static string LDAPDomain = "DC=net,DC=TD-TECH";
        /// <summary>
        /// LDAP绑定路径
        /// </summary>
           private static string ADPath = "LDAP://Contoso.com";     //测试用
          
        private static string sPrincpleNameTail = "@cinf.com";
        /// <summary>
        /// 登录帐号
        /// </summary>
        private static string ADUser = @"contoso\oa";
        /// <summary>
        /// 登录密码
        /// </summary>
        //private static string ADPassword = "3edc5tgB"; //实际
        private static string ADPassword = "1qaz2wsX";   //测试用
          

        #endregion

        #region 枚举常量
        /// <summary>
        /// 用户登录验证结果
        /// </summary>
        public enum LoginResult
        {
            /// 
            /// 正常登录
            /// 
            LOGIN_USER_OK = 0,
            /// 
            /// 用户不存在
            /// 
            LOGIN_USER_DOESNT_EXIST,
            /// 
            /// 用户帐号被禁用
            /// 
            LOGIN_USER_ACCOUNT_INACTIVE,
            /// 
            /// 用户密码不正确
            /// 
            LOGIN_USER_PASSWORD_INCORRECT
        }
        /// <summary>
        /// 用户属性定义标志
        /// </summary>
        public enum ADS_USER_FLAG_ENUM
        {
            /// 
            /// 登录脚本标志。如果通过 ADSI LDAP 进行读或写操作时，
            /// 该标志失效。如果通过 ADSI WINNT，该标志为只读。
            /// 
            ADS_UF_SCRIPT = 0X0001,
            /// 
            /// 用户帐号禁用标志
            /// 
            ADS_UF_ACCOUNTDISABLE = 0X0002,
            /// 
            /// 主文件夹标志
            /// 
            ADS_UF_HOMEDIR_REQUIRED = 0X0008,
            /// 
            /// 过期标志
            /// 
            ADS_UF_LOCKOUT = 0X0010,
            /// 
            /// 用户密码不是必须的
            /// 
            ADS_UF_PASSWD_NOTREQD = 0X0020,
            /// 
            /// 密码不能更改标志
            /// 
            ADS_UF_PASSWD_CANT_CHANGE = 0X0040,
            /// 
            /// 使用可逆的加密保存密码
            /// 
            ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0X0080,
            /// 
            /// 本地帐号标志
            /// 
            ADS_UF_TEMP_DUPLICATE_ACCOUNT = 0X0100,
            /// 
            /// 普通用户的默认帐号类型
            /// 
            ADS_UF_NORMAL_ACCOUNT = 0X0200,
            /// 
            /// 跨域的信任帐号标志
            /// 
            ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 0X0800,
            /// 
            /// 工作站信任帐号标志
            /// 
            ADS_UF_WORKSTATION_TRUST_ACCOUNT = 0x1000,
            /// 
            /// 服务器信任帐号标志
            /// 
            ADS_UF_SERVER_TRUST_ACCOUNT = 0X2000,
            /// 
            /// 密码永不过期标志
            /// 
            ADS_UF_DONT_EXPIRE_PASSWD = 0X10000,
            /// 
            /// MNS 帐号标志
            /// 
            ADS_UF_MNS_LOGON_ACCOUNT = 0X20000,
            /// 
            /// 交互式登录必须使用智能卡
            /// 
            ADS_UF_SMARTCARD_REQUIRED = 0X40000,
            /// 
            /// 当设置该标志时，服务帐号（用户或计算机帐号）将通过 Kerberos 委托信任
            /// 
            ADS_UF_TRUSTED_FOR_DELEGATION = 0X80000,
            /// 
            /// 当设置该标志时，即使服务帐号是通过 Kerberos 委托信任的，敏感帐号不能被委托
            /// 
            ADS_UF_NOT_DELEGATED = 0X100000,
            /// 
            /// 此帐号需要 DES 加密类型
            /// 
            ADS_UF_USE_DES_KEY_ONLY = 0X200000,
            /// 
            /// 不要进行 Kerberos 预身份验证
            /// 
            ADS_UF_DONT_REQUIRE_PREAUTH = 0X4000000,
            /// 
            /// 用户密码过期标志
            /// 
            ADS_UF_PASSWORD_EXPIRED = 0X800000,
            /// 
            /// 用户帐号可委托标志
            /// 
            ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0X1000000

        }
        #endregion

        #region 构造函数
        public ADHelper()
        {
            //
            // System.Environment.UserName 

        }

        /// <summary>
        /// 多联的AD构造函数
        /// </summary>
        /// <param name="sADPath"></param>
        /// <param name="sDomainName"></param>
        /// <param name="sADUser"></param>
        /// <param name="sADUserPWD"></param>
        public ADHelper(string sADPath, string sDomainName, string sADUser, string sADUserPWD)
        {
            ADPath = sADPath;
            DomainName = sDomainName;
            ADUser = sADUser;
            ADPassword = sADUserPWD;
        }
        #endregion

        #region GetDirectoryObject

        /// <summary>
        /// 获得DirectoryEntry对象实例,以管理员登陆AD
        /// </summary>
        /// <returns></returns>
        private static DirectoryEntry GetDirectoryObject()
        {
            DirectoryEntry entry = new DirectoryEntry(ADPath, ADUser, ADPassword, AuthenticationTypes.Secure);
            return entry;
        }

        /// <summary>
        /// 根据指定用户名和密码获得相应DirectoryEntry实体
        /// </summary>
        /// <param name="userName"></param>
        /// <param name="password"></param>
        /// <returns></returns>
        private static DirectoryEntry GetDirectoryObject(string userName, string password)
        {
            DirectoryEntry entry = new DirectoryEntry(ADPath,
                userName, password, AuthenticationTypes.None);
            return entry;
        }

        /// <summary>
        /// i.e. /CN=Users,DC=creditsights, DC=cyberelves, DC=Com
        /// </summary>
        /// <param name="domainReference"></param>
        /// <returns></returns>
        private static DirectoryEntry GetDirectoryObject(string domainReference)
        {
            DirectoryEntry entry = new DirectoryEntry(ADPath + domainReference, ADUser, ADPassword,
                AuthenticationTypes.Secure);
            return entry;
        }

        /// <summary>
        ///  获得以UserName,Password创建的DirectoryEntry
        /// </summary>
        /// <param name="domainReference"></param>
        /// <param name="userName"></param>
        /// <param name="password"></param>
        /// <returns></returns>
        private static DirectoryEntry GetDirectoryObject(string domainReference,
            string userName, string password)
        {
            DirectoryEntry entry = new DirectoryEntry(ADPath + domainReference,
                userName, password, AuthenticationTypes.Secure);
            return entry;
        }

        #endregion

        #region GetDirectoryEntry


        /// <summary>
        /// 根据用户公共名称取得用户的 对象
        /// </summary>
        /// <param name="commonName">用户公共名称</param>
        /// <returns>如果找到该用户，则返回用户的 对象；否则返回 null</returns>
        public static DirectoryEntry GetDirectoryEntry(string commonName)
        {
            DirectoryEntry de = GetDirectoryObject();
            DirectorySearcher deSearch = new DirectorySearcher(de);
            deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(cn=" + commonName + "))";
            deSearch.SearchScope = SearchScope.Subtree;
            try
            {
                SearchResult result = deSearch.FindOne();
                de = new DirectoryEntry(result.Path);
                //de.Username = ADUser;
                return de;
            }
            catch
            {
                return null;
            }
        }


        /// <summary>
        /// 根据用户公共名称和密码取得用户的 对象。
        /// </summary>
        /// <param name="commonName">用户公共名称</param>
        /// <param name="password">用户密码</param>
        /// <returns>如果找到该用户，则返回用户的 对象；否则返回 null</returns>
        public static DirectoryEntry GetDirectoryEntry(string commonName, string password)
        {
            DirectoryEntry de = GetDirectoryObject(commonName, password);
            DirectorySearcher deSearch = new DirectorySearcher(de);
            deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(cn=" + commonName + "))";
            deSearch.SearchScope = SearchScope.Subtree;
            try
            {
                SearchResult result = deSearch.FindOne();
                de = new DirectoryEntry(result.Path);
                return de;
            }
            catch
            {
                return null;
            }
        }


        /// <summary>
        /// 根据用户帐号称取得用户的 对象
        /// </summary>
        /// <param name="sAMAccountName">用户帐号名</param>
        /// <returns>如果找到该用户，则返回用户的 对象；否则返回 null</returns>
        public static DirectoryEntry GetDirectoryEntryByAccount(string sAMAccountName)
        {
            DirectoryEntry de = GetDirectoryObject(ADUser, ADPassword);
            DirectorySearcher deSearch = new DirectorySearcher(de);
            deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + sAMAccountName + "))";
            deSearch.SearchScope = SearchScope.Subtree;
            try
            {
                SearchResult result = deSearch.FindOne();
                de = new DirectoryEntry(result.Path, ADUser, ADPassword);
                return de;
            }
            catch(Exception ex)
            {
                return null;
            }
        }

        /// <summary>
        /// 根据用户帐号和密码取得用户的 对象
        /// </summary>
        /// <param name="sAMAccountName">用户帐号名</param>
        /// <param name="password">用户密码</param>
        /// <returns>如果找到该用户，则返回用户的 对象；否则返回 null</returns>
        public static DirectoryEntry GetDirectoryEntryByAccount(string sAMAccountName, string password)
        {
            DirectoryEntry de = GetDirectoryEntryByAccount(sAMAccountName);
            if (de != null)
            {
                string commonName = de.Properties["cn"][0].ToString();
                if (GetDirectoryEntry(commonName, password) != null)
                    return GetDirectoryEntry(commonName, password);
                else
                    return null;
            }
            else
            {
                return null;
            }
        }

        /// <summary>
        /// 根据组名取得用户组的 对象
        /// </summary>
        /// <param name="groupName">组名</param>
        /// <returns></returns>
        public static DirectoryEntry GetDirectoryEntryOfGroup(string groupName)
        {
            DirectoryEntry de = GetDirectoryObject();
            DirectorySearcher deSearch = new DirectorySearcher(de);
            deSearch.Filter = "(&(objectClass=group)(cn=" + groupName + "))";
            deSearch.SearchScope = SearchScope.Subtree;
            try
            {
                SearchResult result = deSearch.FindOne();
                de = new DirectoryEntry(result.Path);
                return de;
            }
            catch
            {
                return null;
            }
        }

        #endregion

        #region GetProperty


        /// <summary>
        /// 获得指定 指定属性名对应的值 
        /// </summary>
        /// <param name="de">DirectoryEntry对象，如为用户则为用户的对象，部门则为部门的对象</param>
        /// <param name="propertyName">属性名称</param>
        /// <returns>属性值</returns>
        public static string GetProperty(DirectoryEntry de, string propertyName)
        {
            if (de.Properties.Contains(propertyName))
            {
                return de.Properties[propertyName][0].ToString();
            }
            else
            {
                return string.Empty;
            }
        }

        /// 
        /// 获得指定搜索结果 中指定属性名对应的值
        /// 
        /// 
        /// 属性名称
        /// 属性值
        public static string GetProperty(SearchResult searchResult, string propertyName)
        {
            if (searchResult.Properties.Contains(propertyName))
            {
                return searchResult.Properties[propertyName][0].ToString();
            }
            else
            {
                return string.Empty;
            }
        }

        /// <summary>
        /// 查询制定用户是否是锁定状态
        /// </summary>
        /// <param name="de"></param>
        /// <returns></returns>
        public static bool IsAccountLockOut(DirectoryEntry de )
        {
            return Convert.ToBoolean(de.InvokeGet("IsAccountlocked"));
        }


        #endregion

        #region SetProperty
        /// <summary>
        /// 设置指定 的属性值
        /// </summary>
        /// <param name="de"></param>
        /// <param name="propertyName">属性名称</param>
        /// <param name="propertyValue">属性值</param>
        public static void SetProperty(DirectoryEntry de, string propertyName, string propertyValue)
        {
            if (propertyValue != string.Empty || propertyValue != "" || propertyValue != null)
            {
                if (de.Properties.Contains(propertyName))
                {
                    de.Properties[propertyName][0] = propertyValue;
                }
                else
                {
                    de.Properties[propertyName].Add(propertyValue);
                }
            }
        }

        #endregion

        #region 用户操作

        /// <summary>
        /// 创建带邮箱的用户
        /// </summary>
        /// <param name="CommonName">通用名（displayName,系统中显示的中文名字）</param>
        /// <param name="Account">帐户名（如ycan）</param>
        /// <param name="organizeName">组织单元名（有色院/科技处/信息中心）</param>
        /// <param name="password">密码</param>
        /// <param name="CreateMail">是否创建邮箱</param>
        /// <returns>新建用户的Path 错误则为“”</returns>
        public static string CreateADAccount(
            string CommonName,//CName
            string Account,//EName
            string organizeName,//
            string password,
            bool CreateMail
            )
        {
            //如果Acc存在则返回错误
            if (IsAccExists(Account))
                return "";
            DirectoryEntry entry = null;
            DirectoryEntry user = null;
            string samAccountName = Account;
            try
            {
                entry = new DirectoryEntry(GetOrganizeNamePath(organizeName), ADUser,
                ADPassword, AuthenticationTypes.Secure);

                user = entry.Children.Add("CN=" + CommonName, "user");
                user.Properties["userPrincipalName"].Value = samAccountName + sPrincpleNameTail;
                user.Properties["sAMAccountName"].Add(samAccountName);
                user.Properties["displayName"].Add(CommonName);

                user.CommitChanges();
                user.Invoke("SetPassword", new object[] { password });
                //This enables the new user.

                user.Properties["userAccountControl"].Value = //0x200; //ADS_UF_NORMAL_ACCOUNT
                     ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_NORMAL_ACCOUNT | ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_DONT_EXPIRE_PASSWD;
                user.CommitChanges();
                if (CreateMail)
                {
                    user.Invoke("CreateMailbox", new object[] { homeMDB });
                    user.CommitChanges();
                }
            }
            catch (Exception e)
            {
                try
                {
                    user.DeleteTree();
                }
                catch
                {
                    //return string.Empty;
                }
                throw e;
            }
            return user.Path;
        }


        ///// <summary>
        ///// 启用指定的域账号
        ///// </summary>
        ///// <param name="sAMacc">用户的域账号名称</param>
        //public static void EnableUser(string sAMacc)
        //{
        //    EnableUser( GetDirectoryEntryByAccount(sAMacc));
        //}


        /// <summary>
        /// 启用指定的域账号
        /// </summary>
        /// <param name="sAMacc">用户的域账号名称</param>
        public static bool EnableUser(string sAMacc)
        {
            try
            {
                EnableUser(GetDirectoryEntryByAccount(sAMacc));
                return true;
            }
            catch (Exception ex)
            {
                return false;
            }
        }


        /// <summary>
        /// 启用指定帐户
        /// </summary>
        /// <param name="de"></param>
        public static void EnableUser(DirectoryEntry de)
        {
          
            de.Properties["userAccountControl"][0] =
                ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_NORMAL_ACCOUNT | ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_DONT_EXPIRE_PASSWD;
            de.CommitChanges();
            de.Close();
        }

        /// <summary>
        /// 禁用指定公共名称的用户
        /// </summary>
        /// <param name="commonName">用户公共名称</param>
        public static void DisableUser(string sAMacc)
        {
            DisableUser(GetDirectoryEntryByAccount(sAMacc));
        }

        /// <summary>
        /// 禁用指定的帐户
        /// </summary>
        /// <param name="de"></param>
        public static void DisableUser(DirectoryEntry de)
        {
            //impersonate.BeginImpersonate();
            de.Properties["userAccountControl"][0] =
                ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_NORMAL_ACCOUNT | ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_DONT_EXPIRE_PASSWD | ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_ACCOUNTDISABLE;
            de.CommitChanges();
            //impersonate.StopImpersonate();
            de.Close();
        }


        /// <summary> 
        /// 修改用户密码
        /// </summary>
        /// <param name="commonName">用户公共名称</param>
        /// <param name="oldPassword">旧密码</param>
        /// <param name="newPassword">新密码</param>
        public static void ChangeUserPassword(string commonName, string oldPassword, string newPassword)
        {
            // to-do: 需要解决密码策略问题
            DirectoryEntry oUser = GetDirectoryEntry(commonName);
            oUser.Invoke("ChangePassword", new Object[] { oldPassword, newPassword });
            oUser.Close();
        }

        /// <summary> 
        /// 修改Acc密码
        /// </summary>
        /// <param name="sAMacc">帐户名称</param>
        /// <param name="oldPassword">旧密码</param>
        /// <param name="newPassword">新密码</param>
        /// <returns>是否成功</returns>
        public static bool ChangeAccPassword(string sAMacc, string oldPassword, string newPassword)
        {
            try
            {
                if (IsAccExists(sAMacc))
                {
                    // to-do: 需要解决密码策略问题
                    DirectoryEntry oUser = GetDirectoryEntryByAccount(sAMacc);
                    //oUser.Invoke("ChangePassword", new Object[] { oldPassword, newPassword });
                    oUser.Invoke("SetPassword", new object[] { newPassword });
                    oUser.CommitChanges();
                    oUser.Close();
                    return true;
                }
                else
                    return false;
            }
            catch (Exception)
            {
                return false;
            }

        }


        /// <summary>
        /// 移动用户
        /// </summary>
        /// <param name="user_path">用户Path</param>
        /// <param name="target_path">目标path</param>
        /// <returns></returns>
        public static string MoveUser(string user_path, string target_path)
        {
            DirectoryEntry u = new DirectoryEntry(user_path, ADUser, ADPassword);
            DirectoryEntry t = new DirectoryEntry(target_path, ADUser, ADPassword);
            u.MoveTo(t);
            return u.Path;
        }


        /// <summary>
        /// 重名用户
        /// </summary>
        /// <param name="sAcc"></param>
        /// <param name="newDisplayName"></param>
        /// <returns></returns>
        public static bool RenameUser(string sAcc, string newDisplayName)
        {
            try
            {
                if (IsAccExists(sAcc))
                {
                    DirectoryEntry userEntry = GetDirectoryEntryByAccount(sAcc);
                    //userEntry.Properties["cn"][0] = newDisplayName;
                    userEntry.Properties["displayName"][0] = newDisplayName;

                    userEntry.Rename("CN=" + newDisplayName);
                    userEntry.CommitChanges();
                    userEntry.Dispose();
                    return true;
                }
                else
                    return false;
            }
            catch (Exception)
            {

                return false;
            }
        }

        /// <summary>
        /// 重命名Account
        /// </summary>
        /// <param name="oldAcc">原Acc</param>
        /// <param name="newAcc">新Acc</param>
        /// <returns>成功True，如果已经存在新、老Acc则返回false，错误也返回false</returns>
        public static bool RenameAcc(string oldAcc, string newAcc)
        {
            try
            {
                if (IsAccExists(oldAcc))
                {
                    //不允许同名ACC
                    if (IsAccExists(newAcc))
                        return false;
                    DirectoryEntry userEntry = GetDirectoryEntryByAccount(oldAcc);

                    userEntry.Properties["sAMAccountName"][0] = newAcc;
                    userEntry.CommitChanges();
                    userEntry.Dispose();
                    return true;
                }
                else
                    return false;
            }
            catch (Exception)
            {

                return false;
            }

        }

        public static bool SetUserPassword(string userName, string password)
        {
            try
            {
                if (SetUserPassword(null, null, userName, password))
                    return true;
                else
                    return false;
            }
            catch (Exception ex)
            {
                return false;
            
            }
        }

        public static bool SetUserPassword(string adminName, string adminPassword, string userName, string password)
        {
            adminName = ADUser;
            adminPassword = ADPassword;
            try
            {
                DirectoryEntry userEntry = FindObject(adminName, adminPassword, "user", userName);

                //userEntry.Properties["userAccountControl"].Value = 544;//0x200; 
                //userEntry.CommitChanges();


                userEntry.Properties["pwdLastSet"].Value =0; // To turn on, set this value to 0.
                userEntry.CommitChanges();

                userEntry.Invoke("SetPassword", new object[] { password });
                userEntry.CommitChanges();
                return true;
            }
            catch (Exception ex)
            {
                return false;
            }
           
        }


        /// <summary>
        /// 删除AD账户，使用当前上下文的安全信息，一般用于Windows程序
        /// </summary>
        /// <param name="userName">用户名称</param>
        /// <returns></returns>
        public static bool DeleteADAccount(string Account)
        {
            //DeleteADAccount(null, null, userName);
            if (IsAccExists(Account))
            {
                string AccPath = GetAccPath(Account);
                DetTree(AccPath);
                return true;
            }
            else
                return false;
        }


        /// <summary>
        /// 删除AD账户，使用指定的用户名和密码来模拟，一般用于ASP.NET程序
        /// </summary>
        /// <param name="adminUser">AD管理员用户名，如默认，可以为null</param>
        /// <param name="adminPassword">AD管理员密码，如默认，可以为null</param>
        /// <param name="userName">用户名称</param>
        public static bool DeleteADAccount(string adminUser, string adminPassword, string userName)
        {
            DirectoryEntry user = null;
            DirectoryEntry Container = null;
            try
            {
                adminUser = ADUser;
                adminPassword = ADPassword;
                user = FindObject(adminUser, adminPassword, "user", userName);
                Container = user.Parent;
                Container.Children.Remove(user);
                Container.CommitChanges();
                Container.Dispose();
                user.Dispose();
                return true;

            }
            catch (Exception)
            {
                Container.Dispose();
                user.Dispose();
                return false;
            }

        }


        /// <summary>
        /// 设置用户为解除锁定状态
        /// </summary>
        /// <param name="accountName"></param>
        /// <returns></returns>
        public static bool SetADAccountLocked( string accountName)
        {
            DirectoryEntry user = null;
            DirectoryEntry Container = null;
            try
            {

                user = FindObject(ADUser, ADPassword, "user", accountName);
                user.Properties["LockOutTime"].Value = 0; //unlock account
                user.CommitChanges();                     //may not be needed but adding it anyways
                user.InvokeSet("IsAccountLocked", false);
                user.CommitChanges();    
                user.Close();
                return true;
            }
            catch (DirectoryServicesCOMException　ex)
            {
                Container.Dispose();
                user.Dispose();
                return false;
            }

        }


        public static DirectoryEntry FindObject(string category, string name)
        {
            return FindObject(null, null, category, name);
        }

        public static DirectoryEntry FindObject(string adminName,
            string adminPassword, string category, string name)
        {
            adminName = ADUser;
            adminPassword = ADPassword;
            DirectoryEntry de = null;
            //if (adminName == null || adminPassword == null)
            //{
            de = new DirectoryEntry(ADPath, adminName, adminPassword, AuthenticationTypes.Secure);
            //}
            //else
            //{
            //    de = new DirectoryEntry();
            //}
            ///organizationalUnit
            DirectorySearcher ds = new DirectorySearcher(de);
            string queryFilter = string.Format("(&(objectCategory=" +
                category + ")(sAMAccountName={0}))", name);
            ds.Filter = queryFilter;
            ds.Sort.PropertyName = "cn";

            DirectoryEntry userEntry = null;
            try
            {
                SearchResult sr = ds.FindOne();
                userEntry = sr.GetDirectoryEntry();
            }
            finally
            {
                if (de != null)
                {
                    de.Dispose();
                }
                if (ds != null)
                {
                    ds.Dispose();
                }
            }
            return userEntry;
        }

        #endregion

        #region 组织单元操作


        /// <summary>
        /// 重命名OU
        /// </summary>>
        /// <param name="oldOUName">原名</param>
        /// <param name="newOUName">新名</param>
        /// <returns>是否成功</returns>
        public static bool RenameOU(string oldOUName, string newOUName)
        {

            try
            {
                if (CheckOU(oldOUName))
                {
                    DirectoryEntry userEntry = new DirectoryEntry(GetOrganizeNamePath(oldOUName), ADUser, ADPassword);
                    userEntry.Rename("OU=" + newOUName);
                    userEntry.CommitChanges();
                    userEntry.Dispose();
                    if (CheckOU(newOUName))
                        return true;
                    else
                        return false;
                }
                else
                    return false;
            }
            catch (Exception)
            {
                return false;
                //throw;
            }
        }


        /// <summary>
        /// 检查组织单位（OU）是否存在
        /// </summary>
        /// <param name="sOU">组织单位名称 </param>
        /// <returns>成功返回True,否则返回False</returns>
        public static bool CheckOU(string sOU)
        {
            DirectoryEntry objOU = null;
            try
            {
                objOU = new DirectoryEntry(GetOrganizeNamePath(sOU), ADUser, ADPassword);
                string OUName = objOU.Name;
                //if (OUName == sOU)
                objOU.Close();
                objOU = null;
                return true;
            }
            catch
            {
                objOU.Close();
                objOU = null;
                return false;
            }
        }

        /// <summary>
        /// 创建OU，需要指定连接到AD的授权信息
        /// </summary>
        /// <param name="adminName"></param>
        /// <param name="adminPassword"></param>
        /// <param name="name"></param>
        /// <param name="parentOrganizeUnit"></param>
        public static DirectoryEntry CreateOrganizeUnit(string adminName,
            string adminPassword, string name, string parentOrganizeUnit)
        {
            adminName = ADUser;
            adminPassword = ADPassword;
            DirectoryEntry parentEntry = null;
            if (adminName == null || adminPassword == null)
            {
                parentEntry = new DirectoryEntry(GetOrganizeNamePath(parentOrganizeUnit));
            }
            else
            {
                if (parentOrganizeUnit != "")
                {
                    parentEntry = new DirectoryEntry(GetOrganizeNamePath(parentOrganizeUnit),
                       adminName, adminPassword,
                       AuthenticationTypes.Secure);
                }
                else
                {
                    parentEntry = new DirectoryEntry(GetOrganizeNamePath(parentOrganizeUnit),
                         adminName, adminPassword,
                         AuthenticationTypes.Secure);
                }
            }
            DirectoryEntry organizeEntry = parentEntry.Children.Add("OU=" +
                name, "organizationalUnit");
            organizeEntry.CommitChanges();
            return organizeEntry;
        }

        /// <summary>
        /// 创建OU，不需要指定连接到AD的授权信息，用于Windows程序
        /// </summary>
        /// <param name="name">OU name</param>
        /// <param name="parentOrganizeUnit">父OU路径如a/b/c</param>
        public static DirectoryEntry CreateOrganizeUnit(string name, string parentOrganizeUnit)
        {
            return CreateOrganizeUnit(null, null, name, parentOrganizeUnit);
        }

        /// <summary>
        /// 将用户加入到用户组中
        /// </summary>
        /// <param name="userName">用户名</param>
        /// <param name="organizeName">组织名</param>
        /// <param name="groupName">组名</param>
        /// <exception cref="InvalidObjectException">用户名或用户组不存在</exception>
        public static void AddUserToGroup(string userName, string groupName)
        {
            AddUserToGroup(null, null, userName, groupName);
        }

        /// <summary>
        /// 将用户加入到用户组中
        /// </summary>
        /// <param name="adminName"></param>
        /// <param name="adminPassword"></param>
        /// <param name="userName">用户名</param>
        /// <param name="groupName">组名</param>
        /// <exception cref="InvalidObjectException">用户名或用户组不存在</exception>
        public static void AddUserToGroup(string adminName, string adminPassword, string userName, string groupName)
        {
            adminName = ADUser;
            adminPassword = ADPassword;
            DirectoryEntry rootUser = null;
            if (adminName == null || adminPassword == null)
            {
                rootUser = new DirectoryEntry(GetUserPath(), adminName, adminPassword, AuthenticationTypes.Secure);
            }
            else
            {
                rootUser = new DirectoryEntry(GetUserPath());
            }

            DirectoryEntry group = null;
            DirectoryEntry user = null;

            try
            {
                group = rootUser.Children.Find("CN=" + groupName);
            }
            catch (Exception)
            {
                throw new Exception("在域中不存在组“" + groupName + "”");
            }

            try
            {
                user = FindObject(adminName, adminPassword, "user", userName);
            }
            catch (Exception)
            {
                throw new Exception("在域中不存在用户“" + userName + "”");
            }

            //加入用户到用户组中
            group.Properties["member"].Add(user.Properties["distinguishedName"].Value);
            group.CommitChanges();
        }


        /// <summary>
        /// 彻底删除OU/也可以通过参数控制删除空OU,即安全删除
        /// </summary>
        /// <param name="OUName">OU名,如a/b/c,必须写绝对OU名</param>
        /// <param name="boolComplete">true为彻底删除,false为安全删除</param>
        /// <returns>成功与否</returns>
        public static bool DeleteOU(string OUName, bool boolComplete)
        {
            try
            {
                if (!boolComplete)
                    return false;
                if (CheckOU(OUName))
                {
                    string OUpath = GetOrganizeNamePath(OUName);
                    if (OUpath == "")
                        return false;
                    else
                    {
                        DetTree(OUpath);
                        return true;
                    }
                }
                else
                    return true;
            }
            catch (Exception)
            {
                throw;
                //return false;
            }
        }

        /// <summary>
        /// 删除OU（仅仅支持纯部门删除，OU中不能有其他用户、OU等信息的子节点）
        /// </summary>
        /// <param name="OUName">OU名,如a/b/c,必须写绝对OU名</param>
        /// <returns>"成功"  "不存在"  "非空"</returns>
        public static string DeleteOU(string OUName)
        {
            try
            {
                if (CheckOU(OUName))
                {
                    DirectoryEntry objOU = new DirectoryEntry(GetOrganizeNamePath(OUName));
                    DirectoryEntry parOU = objOU.Parent;
                    parOU.Children.Remove(objOU);
                    parOU.CommitChanges();
                    return "成功";
                }
                else
                    return "不存在";
            }
            catch (Exception)
            {
                return "非空";
            }
        }


        #endregion

        #region 登录相关

        /// <summary> 
        /// 判断用户与密码是否足够以满足身份验证进而登录
        /// </summary>
        /// <param name="commonName">用户公共名称</param>
        /// <param name="password">密码</param>
        /// <returns>如能可正常登录，则返回 true；否则返回 false</returns>
        public static LoginResult Login(string commonName, string password)
        {
            DirectoryEntry de = GetDirectoryEntry(commonName);

            if (de != null)
            {
                // 必须在判断用户密码正确前，对帐号激活属性进行判断；否则将出现异常。
                int userAccountControl =
                    Convert.ToInt32(de.Properties["userAccountControl"][0]);
                de.Close();
                if (!IsAccountActive(userAccountControl))

                    return LoginResult.LOGIN_USER_ACCOUNT_INACTIVE;
                if (GetDirectoryEntry(commonName, password) != null)
                    return LoginResult.LOGIN_USER_OK;
                else
                    return LoginResult.LOGIN_USER_PASSWORD_INCORRECT;
            }
            else
            {
                return LoginResult.LOGIN_USER_DOESNT_EXIST;
            }
        }


        /// <summary>
        /// 判断用户帐号与密码是否足够以满足身份验证进而登录
        /// </summary>
        /// <param name="sAMAccountName">用户帐号</param>
        /// <param name="password">密码</param>
        /// <returns>如能可正常登录，则返回 true；否则返回 false</returns>
        public static LoginResult LoginByAccount(string sAMAccountName, string password)
        {
            DirectoryEntry de = GetDirectoryEntryByAccount(sAMAccountName);
            if (de != null)
            {
                // 必须在判断用户密码正确前，对帐号激活属性进行判断；否则将出现异常。
                int userAccountControl =
                    Convert.ToInt32(de.Properties["userAccountControl"][0]);
                de.Close();
                if (!IsAccountActive(userAccountControl))
                    return LoginResult.LOGIN_USER_ACCOUNT_INACTIVE;
                if (GetDirectoryEntryByAccount(sAMAccountName, password) != null)
                    return LoginResult.LOGIN_USER_OK;
                else
                    return LoginResult.LOGIN_USER_PASSWORD_INCORRECT;
            }
            else
            {
                return LoginResult.LOGIN_USER_DOESNT_EXIST;
            }
        }

        /// <summary>
        /// 判断用户帐号是否激活
        /// </summary>
        /// <param name="userAccountControl">用户帐号属性控制器</param>
        /// <returns>如果用户帐号已经激活，返回 true；否则返回 false</returns>
        public static bool IsAccountActive(int userAccountControl)
        {
            int userAccountControl_Disabled =
                Convert.ToInt32(ADS_USER_FLAG_ENUM.ADS_UF_ACCOUNTDISABLE);
            int flagExists = userAccountControl & userAccountControl_Disabled;
            if (flagExists > 0)
                return false;
            else
                return true;
        }

        /// <summary>
        ///  判断用户是否存在
        /// </summary>
        /// <param name="commonName">公用名</param>
        /// <returns></returns>
        public static bool IsUserExists(string commonName)
        {
            DirectoryEntry de = GetDirectoryObject();
            DirectorySearcher deSearch = new DirectorySearcher(de);
            deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(cn=" + commonName + "))";       // LDAP 查询串
            SearchResultCollection results = deSearch.FindAll();
            if (results.Count == 0)
                return false;
            else
                return true;
        }
        /// <summary>
        ///  判断帐户是否存在
        /// </summary>
        /// <param name="commonName">Account用户名</param>
        /// <returns>是否存在</returns>
        public static bool IsAccExists(string sAMAccountName)
        {
            DirectoryEntry de = GetDirectoryObject();
            DirectorySearcher deSearch = new DirectorySearcher(de);
            deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" +
                sAMAccountName + "))";       // LDAP 查询串
            SearchResultCollection results = deSearch.FindAll();
            if (results.Count == 0)
                return false;
            else
                return true;
        }

        #endregion

        #region 与AD的DN解析有关工具函数

        /// <summary>
        /// 删除对象
        /// </summary>
        /// <param name="path">对象路径</param>
        public static void DetTree(string path)
        {
            try
            {
                DirectoryEntry ent = new DirectoryEntry(path, ADUser, ADPassword);
                ent.DeleteTree();

            }
            catch (Exception e)
            {
                throw e;
            }
        }


        /// <summary>
        /// 获取所有用户所在的安全组
        /// </summary>
        /// <returns></returns>
        private static string GetUserPath()
        {
            return GetUserPath(null);
        }

        /// <summary>
        /// 获取所有没有在AD组织中的用户DN名称
        /// </summary>
        /// <param name="userName"></param>
        /// <returns></returns>
        private static string GetUserPath(string userName)
        {
            StringBuilder sb = new StringBuilder();
            sb.Append(ADPath);
            if (userName != null && userName.Length > 0)
            {
                sb.Append("CN=").Append(userName).Append(",");
            }
            sb.Append("CN=Users,").Append(GetDomainDN());
            return sb.ToString();
        }

        /// <summary>
        /// 根据用户所在的组织结构来构造用户在AD中的DN路径
        /// </summary>
        /// <param name="userName">用户名称</param>
        /// <param name="organzieName">组织结构</param>
        /// <returns></returns>
        public static string GetUserPath(string userName, string organzieName)
        {
            StringBuilder sb = new StringBuilder();
            sb.Append(ADPath);
            sb.Append("CN=").Append(userName).Append(",").Append(SplitOrganizeNameToDN(organzieName));
            return sb.ToString();
        }
        /// <summary>
        /// 获得帐户Acc的Path
        /// </summary>
        /// <param name="sAcc">Acc</param>
        /// <returns>错误就是empty</returns>
        public static string GetAccPath(string sAcc)
        {
            DirectoryEntry de = GetDirectoryObject();
            DirectorySearcher deSearch = new DirectorySearcher(de);
            deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + sAcc + "))";
            deSearch.SearchScope = SearchScope.Subtree;
            try
            {
                SearchResult result = deSearch.FindOne();
                string Apath = result.Path;
                result = null;
                deSearch.Dispose();
                de.Dispose();
                return Apath;
            }
            catch (Exception)
            {
                deSearch.Dispose();
                de.Dispose();
                return string.Empty;
            }
        }

        /// <summary>
        /// 获取域的后缀DN名,如域为cinf.com,则返回"DC=cinf,DC=Com"
        /// </summary>
        /// <returns></returns>
        public static string GetDomainDN()
        {
            return LDAPDomain;
        }
        /// <summary>
        /// 获得OU的Path
        /// </summary>
        /// <param name="organizeUnit">OU名</param>
        /// <returns></returns>
        public static string GetOrganizeNamePath(string organizeUnit)
        {
            StringBuilder sb = new StringBuilder();
            sb.Append(ADPath);//LDAP_IDENTITY
            sb.Append("/");
            return sb.Append(SplitOrganizeNameToDN(organizeUnit)).ToString();
        }

        /// <summary>
        /// 分离组织名称为标准AD的DN名称,各个组织级别以"/"或"\"分开。如"总部/物业公司/小区"，并且当前域为
        /// ExchangeTest.Com，则返回的AD的DN表示名为"OU=小区,OU=物业公司,OU=总 
        /// 部,DC=ExchangeTest,DC=Com"。 
        /// </summary>
        /// <param name="organizeName">组织名称</param>
        /// <returns>返回一个级别</returns>
        public static string SplitOrganizeNameToDN(string organizeName)
        {
            StringBuilder sb = new StringBuilder();

            if (organizeName != null && organizeName.Length > 0)
            {
                string[] allOu = organizeName.Split(new char[] { '/', '\\' });
                for (int i = allOu.Length - 1; i >= 0; i--)
                {
                    string ou = allOu[i];
                    if (sb.Length > 0)
                    {
                        sb.Append(",");
                    }
                    sb.Append("OU=").Append(ou);
                }
            }
            //如果传入了组织名称，则添加,
            if (sb.Length > 0)
            {
                sb.Append(",");
            }
            sb.Append(GetDomainDN());
            return sb.ToString();
        }
        #endregion

        
    }
}