AD lockoutTime#
Lockouttime Microsoft Active Directory attribute specifies the date and time (in UTC) that this account was locked out for Intruder DetectionThis value is stored as LargeInteger LDAPSyntaxes
A value of zero means that the account is NOT currently locked out.
Lockouttime can only triggered by the system itself.
(please don't mix this up with the normal disable/enable operation for user accounts. You can search in the directory for locked accounts.)
The only values that may be set on this is to set the value to "0" which will effectively un-lock the account.
cn: Lockout-Time ldapDisplayName: lockoutTime attributeId: 1.2.840.113556.1.4.662 attributeSyntax: 2.5.5.16 omSyntax: 65 isSingleValued: TRUE schemaIdGuid: 28630ebf-41d5-11d1-a9c1-0000f80367c1 systemOnly: FALSE searchFlags: 0 systemFlags: FLAG_SCHEMA_BASE_OBJECT
Warning#
Lockouttime attribute is only reset following a successful authentication. This implies that the lockoutTime attribute may be non-zero yet the account is not locked out. The only accurately method to determine if the account is locked out, is to add the Lockout-Duration to the lockouttime and compare the result to the current time. Be careful as depending on how you are reading the values you may need account for local time zones and daylight savings time.Version-Specific Behavior: #
- Implemented on Active Directory® Application Mode (ADAM)
- Windows Server® 2008 operating system
- Active Directory® Lightweight Directory Services (AD LDS)for Windows® Vista
- Windows Server® 2008 R2 operating system
- Active Directory® Lightweight Directory Services (AD LDS) for Windows® 7