Create a
DirectoryEntry
to the user's path. You can authenticate as anyone who has access to that path, like a service account, or the user's own credentials depending on your needs. The username format and flags specified in the code below ensure Kerberos authentication will be used, but again, that is up to your specific needs.
Then, the key is to simply tell the
DirectoryEntry.Properties
beforehand that you want the
msDS-ResultantPSO
property by using the
.RefreshCach()
method.
private void FgppTest()
{
var path = "LDAP://a-dc.dev.contoso.local/CN=Fine Grained Password Policy User,CN=Users,DC=dev,DC=contoso,DC=local";
var username = "fgppUser@dev.contoso.local";
var password = "the password";
var flags = AuthenticationTypes.Secure | AuthenticationTypes.Signing | AuthenticationTypes.Sealing | AuthenticationTypes.ServerBind;
using (var de = new DirectoryEntry(path, username, password, flags))
{
de.RefreshCache(new string[] { "msDS-ResultantPSO" });
var fgpp = de.Properties["msDS-ResultantPSO"][0].ToString();
System.Diagnostics.Debug.WriteLine(fgpp);
}
}