Overview#

Locked Account Check is a Policy Decision Point used against the attributes in the pwdPolicy objectClass Type as defined in Draft-behera-ldap-password-policy on How To determine if a Account is Locked.

A status of true is returned to indicate that the account is locked if any of these conditions are met:

• The value of the PwdAccountLockedTime attribute is 000001010000Z.
• The current time is less than the value of the PwdStartTime attribute.
• The current time is greater than or equal to the value of the PwdEndTime attribute.
• The current time is greater than or equal to the value of the PwdLastSuccess attribute added to the value of the pwdMaxIdle attribute.
• The current time is less than the value of the pwdAccountLockedTime attribute added to the value of the pwdLockoutDuration.

Otherwise a status of false is returned.

EDirectory Locked Account Check#

We describe the Locked Account Check for EDirectory in detail under Locked By Intruder.

Microsoft Active Directory Locked Account Check#

We describe the Locked Account Check for Microsoft Active Directory in detail under Active Directory Account Lockout

More Information#

There might be more information for this subject on one of the following:

• Draft-behera-ldap-password-policy
• Locked By Intruder
• Web Blog_blogentry_250615_1