!!! Working with Locked Accounts An [Microsoft Active Directory] account may be automatically locked, if the domain's security policy has been configured to lock accounts after a number of unsuccessful logon attempts for [Intruder Detection] When in working from LDAP with user accounts in Active Directory, there is common to need to refer to the [Domain Wide Account Policies]. If an account has been locked out, the [lockouttime] attribute will contain a Win32 time value that indicates when the account was locked. An easy way to search for locked out accounts is an LDAP query similar to {{{ (&(objectClass=user)(lockoutTime=>0)) }}} Eg. Search for any accounts that have a value for [lockouttime]. %%warning This discussion __does NOT__ include [Administratively Disabled] [Microsoft Accounts] %% !! Warning However searching for any accounts that have a value for [lockouttime] is __not__ an accurate method to use because an account is determined to be locked out if the CurrentTime - [lockouttime] exceeds the Lockout Duration. \\It is only upon a successful logon that AD sets the value of [lockouttime] to zero, so it is possible for an account to still contain a value for [lockouttime], yet the account is not locked. !!! How AD Lock out Works Whether or not an account is locked out in Active Directory is determined by a few attribute values. ! [Bad-Pwd-Count] [Bad-Pwd-Count], badPwdCount, attribute in Active Directory is a [Non-replicated] value. The [Bad-Pwd-Count] attribute specifies the number of times the user attempted to log on to the account using an incorrect password. This attribute is maintained separately on each domain controller in the domain. A value of 0 indicates that the value is unknown. To get an accurate value for the user's total bad password attempts in the domain, each domain controller in the domain must be queried and the sum of the values should be used. ! [Lockouttime] Attribute. The [Lockouttime] attribute value is only reset when the account is logged onto successfully. This means that this value may be non zero, yet the account is not locked out. To accurately determine if the account is locked out, you must: * Determine if the [Active Directory Account Lockout] policy configured. * add the [Lockout-Duration] to the [Lockouttime] * compare the result to the current time, accounting for local time zones and daylight savings time. ! [Lockout-Threshold] The number of invalid logon attempts that are permitted before the account is locked out. ! [User-Account-Control Attribute] The [User-Account-Control Attribute] specifies flags that control or indicate password, [LOCKOUT], disable/enable, script, and home directory behavior for the user. This attribute also contains a flag that indicates the account type of the object. The user object usually has the [NORMAL_ACCOUNT] set. (512 or 0x0200 value) !! More Information There might be more information for this subject on one of the following: [{ReferringPagesPlugin before='*' after='\n' }]