Working with Locked Accounts#An Microsoft Active Directory account may be automatically locked, if the domain's security policy has been configured to lock accounts after a number of unsuccessful logon attempts for Intruder Detection
When in working from LDAP with user accounts in Active Directory, there is common to need to refer to the Domain Wide Account Policies.
If an account has been locked out, the lockouttime attribute will contain a Win32 time value that indicates when the account was locked.
An easy way to search for locked out accounts is an LDAP query similar to
(&(objectClass=user)(lockoutTime=>0))Eg. Search for any accounts that have a value for lockouttime.
Warning#However searching for any accounts that have a value for lockouttime is not an accurate method to use because an account is determined to be locked out if the CurrentTime - lockouttime exceeds the Lockout Duration.
It is only upon a successful logon that AD sets the value of lockouttime to zero, so it is possible for an account to still contain a value for lockouttime, yet the account is not locked.
How AD Lock out Works#Whether or not an account is locked out in Active Directory is determined by a few attribute values. Bad-Pwd-Count, badPwdCount, attribute in Active Directory is a Non-replicated value. The Bad-Pwd-Count attribute specifies the number of times the user attempted to log on to the account using an incorrect password. This attribute is maintained separately on each domain controller in the domain. A value of 0 indicates that the value is unknown.
To get an accurate value for the user's total bad password attempts in the domain, each domain controller in the domain must be queried and the sum of the values should be used.
Lockouttime Attribute.#The Lockouttime attribute value is only reset when the account is logged onto successfully. This means that this value may be non zero, yet the account is not locked out. To accurately determine if the account is locked out, you must:
- Determine if the Active Directory Account Lockout policy configured.
- add the Lockout-Duration to the Lockouttime
- compare the result to the current time, accounting for local time zones and daylight savings time.