Hi,
The IsAccountLocked property method (with the LDAP provider) returns the
same value whether the account is locked or not. However, this property
method can be used to unlock the account. Similarily, the userAccountControl
flag (with the mask ADS_UF_LOCKOUT = &H10) cannot be used to reveal if the
account is locked. Instead, when the account is locked out, the badPwdCount
attribute of the user object becomes equal to the domain setting for maximum
attempts (lockoutThreshold) and the lockoutTime attribute has a value
(corrsponding to the date and time the account was locked out). If the
domain lockout reset window (lockoutDuration) expires, the account is no
longer locked out, but no attribute values change for the user object
(exposed by the LDAP provider). The only way to tell if the account is still
locked out is to add the domain lockoutDuration to the user lockoutTime,
convert to a date, and compare with Now to see if the duration has expired.
If the account is unlocked manually, badPwdCount is set to 0 and lockoutTime
is set to 0. If instead, the reset duration (the domain lockoutDuration)
expires, the account is no longer locked, but badPwdCount and lockoutTime
are unchanged. However, when the user logs on successfully, both of these
attributes are set to 0.
I have just tested and I find that you can manipulate the userAccountControl
attribute (with the LDAP provider) to unlock the account. The behaviour
seems strange, but it works. As you know, if you test userAccountControl
with the bit mask you find it never changes. If you use ADSI Edit to
monitor, you see that userAccountControl never changes when the account gets
locked out, or when you unlock it. However, you can toggle the bit with
code. When the account is locked out and you toggle the ADS_UF_LOCKOUT bit
the attribute value changes and the account remains locked out. If you then
toggle the bit again, the attribute returns to it's original value, but the
account is now unlocked. Magic. Also, the badPwdCount and lockoutTime
attributes get zero'ed.
Obviously, the userAccountControl attribute has some kind of bug.
--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site -
http://www.rlmueller.net
--
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:Or**************@TK2MSFTNGP11.phx.gbl...
Correction: See Richard Mueller's post in microsoft.public.adsi.general
today under "WinNT-provider doesn't use supplied credentials". I believe
that flag doesn't actually work correctly and you need to do something
fancier. For some reason I always forget this because I never do this
programmatically.
Sorry,
Joe K.
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:%2****************@TK2MSFTNGP11.phx.gbl... Gotcha. You need to set the ADS_UF_LOCKOUT flag in userAccountControl
enumerated value to "on". That will cause the account to be locked (or
unlocked for unset).
Joe K.
"RF" <rf@someemail.com> wrote in message
news:Ox*************@TK2MSFTNGP12.phx.gbl... Thank Joe for your help.
For the "accountLocked", what I meant was how I can programmatically lock and unlock an account thru DirectoryServices.
TIA,
Randy