If you want to disable an account in an Active Directory of Windows,
you may try this (it works for me in a Win2k environment):
(foo.bar should be replaced in "$ldapBase" to the correct
domain, e.g. "DC=phpfreackx,DC=com" if your domain is phpfreackx.com)
domctrl = domain controller
domadlogin = domain admin login
domadpw = domain admin password
username = loginname of useraccount (e.g. "john.doe")
enable =1 (if you want to enable it, 0 if it should be disabled)
<?php
function userchange($username,$enable=1,$domadlogin,$domadpw,$domctrl)
{
$ldapServer = $domctrl;
$ldapBase = 'DC=foo,DC=bar';
$ds = ldap_connect($ldapServer);
if (!$ds) {die('Cannot Connect to LDAP server');}
$ldapBind = ldap_bind($ds,$domadlogin,$domadpw);
if (!$ldapBind) {die('Cannot Bind to LDAP server');}
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
$sr = ldap_search($ds, $ldapBase, "(samaccountname=$username)");
$ent= ldap_get_entries($ds,$sr);
$dn=$ent[0]["dn"];
$ac = $ent[0]["useraccountcontrol"][0];
$disable=($ac | 2); $enable =($ac & ~2); $userdata=array();
if ($enable==1) $new=$enable; else $new=$disable; $userdata["useraccountcontrol"][0]=$new;
ldap_modify($ds, $dn, $userdata); $sr = ldap_search($ds, $ldapBase, "(samaccountname=$username)");
$ent= ldap_get_entries($ds,$sr);
$ac = $ent[0]["useraccountcontrol"][0];
if (($ac & 2)==2) $status=0; else $status=1;
ldap_close($ds);
return $status; }
?>
