AD lockoutTime#

Lockouttime Microsoft Active Directory attribute specifies the date and time (in UTC) that this account was locked out for Intruder Detection

This value is stored as LargeInteger LDAPSyntaxes

A value of zero means that the account is NOT currently locked out.

Lockouttime can only triggered by the system itself.
(please don't mix this up with the normal disable/enable operation for user accounts. You can search in the directory for locked accounts.)

The only values that may be set on this is to set the value to "0" which will effectively un-lock the account.

cn: Lockout-Time
ldapDisplayName: lockoutTime
attributeId: 1.2.840.113556.1.4.662
omSyntax: 65
isSingleValued: TRUE
schemaIdGuid: 28630ebf-41d5-11d1-a9c1-0000f80367c1
systemOnly: FALSE
searchFlags: 0


Lockouttime attribute is only reset following a successful authentication. This implies that the lockoutTime attribute may be non-zero yet the account is not locked out. The only accurately method to determine if the account is locked out, is to add the Lockout-Duration to the lockouttime and compare the result to the current time. Be careful as depending on how you are reading the values you may need account for local time zones and daylight savings time.

Version-Specific Behavior: #

  • Implemented on Active Directory® Application Mode (ADAM)
  • Windows Server® 2008 operating system
  • Active Directory® Lightweight Directory Services (AD LDS)for Windows® Vista
  • Windows Server® 2008 R2 operating system
  • Active Directory® Lightweight Directory Services (AD LDS) for Windows® 7

Active Directory Account Lockout#

Describes details on Active Directory Account Lockout.

More Information#

There might be more information for this subject on one of the following: