LOCKOUT (or UF_LOCKOUT flag)#

This is technically the 0x00000010 bit in the User-Account-Control Attribute for Microsoft Active Directory.

The value denotes the condition implies the Active Directory account is locked from Intruder Detection.

Sometimes this concept is referred to as Intruder Detection. This is not the condition where an account is Administratively Disabled

Active Directory Locked Accounts#

The account is currently locked. The value Lockouttime attribute can be set to 0 to unlock a previously locked account.

When trying to perform a logon the ERROR_ACCOUNT_LOCKED_OUT Microsoft Response Code is provided.

Warning#

The LOCKOUT bit is only reset when the account is logged onto successfully. This implies that the LOCKOUT may be set, yet the account is not locked out. The only accurately method to determine if the account is locked out, you must add the Lockout-Duration to the lockouttime and compare the result to the current time. Be carful as depending on how you are reading the values you may need account for local time zones and daylight savings time.

Some more insight is provided on our page Active Directory Locked Accounts.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-10) was last changed on 26-May-2013 19:34 by jim