Active Directory Locked Accounts

Working with Locked Accounts#

An Microsoft Active Directory account may be automatically locked, if the domain's security policy has been configured to lock accounts after a number of unsuccessful logon attempts for Intruder Detection

When in working from LDAP with user accounts in Active Directory, there is common to need to refer to the Domain Wide Account Policies.

If an account has been locked out, the lockouttime attribute will contain a Win32 time value that indicates when the account was locked.

An easy way to search for locked out accounts is an LDAP query similar to

Eg. Search for any accounts that have a value for lockouttime.
This discussion does NOT include Administratively Disabled Microsoft Accounts


However searching for any accounts that have a value for lockouttime is not an accurate method to use because an account is determined to be locked out if the CurrentTime - lockouttime exceeds the Lockout Duration.
It is only upon a successful logon that AD sets the value of lockouttime to zero, so it is possible for an account to still contain a value for lockouttime, yet the account is not locked.

How AD Lock out Works#

Whether or not an account is locked out in Active Directory is determined by a few attribute values.

Bad-Pwd-Count #

Bad-Pwd-Count, badPwdCount, attribute in Active Directory is a Non-replicated value. The Bad-Pwd-Count attribute specifies the number of times the user attempted to log on to the account using an incorrect password. This attribute is maintained separately on each domain controller in the domain. A value of 0 indicates that the value is unknown.

To get an accurate value for the user's total bad password attempts in the domain, each domain controller in the domain must be queried and the sum of the values should be used.

Lockouttime Attribute.#

The Lockouttime attribute value is only reset when the account is logged onto successfully. This means that this value may be non zero, yet the account is not locked out. To accurately determine if the account is locked out, you must:


The number of invalid logon attempts that are permitted before the account is locked out.

User-Account-Control Attribute#

The User-Account-Control Attribute specifies flags that control or indicate password, LOCKOUT, disable/enable, script, and home directory behavior for the user. This attribute also contains a flag that indicates the account type of the object. The user object usually has the NORMAL_ACCOUNT set. (512 or 0x0200 value)

More Information#

There might be more information for this subject on one of the following: