lockaccount flag in userAccountControl does not change

Discussion in 'Active Directory' started by BedSmoker, Nov 23, 2005.

  1. BedSmoker

    BedSmoker Guest

    I use userAccountControl to identify if an account is enabled or disabled by
    looking at the flag (bit) that corresponds to that property. So far so good.

    Reading the article:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 I understand
    that lockaccount propery is also supposed to be represented in the
    userAccountControl.

    My problem is that the lockout flag doesn't change when an account is locked
    out. It always stays the same. Does anyone know how I can solve this?
     
    BedSmoker, Nov 23, 2005
    #1
    1. Advertisements

  2. BedSmoker

    Tony Murray Guest

    Finding the lockout status is a tricky one. You can run an LDAP query to
    find all the users that have a populated lockoutTime attribute, but this
    won't give you the whole picture. If there is a value it would find all the
    locked out users, but would also find those accounts that have become
    unlocked and have yet to log in.

    An easy way to view the lockout status is to use the unlock utility from
    joeware.net with the -view option. For more information on unlock, see the
    link below.

    http://www.joeware.net/win/free/tools/unlock.htm

    Tony
    www.activedir.org
     
    Tony Murray, Nov 23, 2005
    #2
    1. Advertisements

  3. BedSmoker

    BedSmoker Guest

    Thank you for your answer Tony. I have heard that there are some software
    that manages to let one view locket out accounts.

    The tricky part for me is that I use business rules to retrive and modify
    properties in Active Directory. It's required by the solution that I'm workin
    on.
    One other way that struck my mind is to run a saved query in AD and then
    populate a group with the users that come as a result from the query. This
    didn't work either.

    Its really strange that one can't determine if a user account is locked out
    in the same way that one can determine if the account is enabled/disabled.

    I've read some about .NET 2.0 and that one could type managed code to
    retrieve data from the AD..?
     
    BedSmoker, Nov 24, 2005
    #3
  4. Both .NET 1.x and .NET 2.0 have support for reading LDAP directories via the
    System.DirectoryServices namespace. .NET 2.0 adds more features and the
    S.DS.ActiveDirectory and S.DS.Protocols namespace.

    Neither has explicit support for dealing with lockout though.

    The IADsUser interface in ADSI attempts to support it, but it has a
    shortcoming that can lead to false positives. The issue is that it simply
    checks to see if lockoutTime has a value or not and assumes the account is
    locked if it does. Unfortunately, the DS doesn't automatically nullify the
    value once the account is unlocked, so the value might stay populated for a
    while after the account is unlocked.

    Lockout status is more complex than disabled status because it is highly
    configurable in AD, with the number of failure attempts and lockout time
    being set at the domain level. That's why you can't just check a bit to see
    if the account is locked.

    IADsUser is also not really good to use for searching for locked accounts as
    it requires that each user in the directory be enumerated.

    If you are interested in .NET, Ryan Dunn has a nice C# article on his blog
    (www.dunnry.com) that shows samples for finding locked accounts.

    Joe K.
     
    Joe Kaplan \(MVP - ADSI\), Nov 26, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.