Wednesday, July 03, 2013

AD : Locked accounts in Active Directory (AD)

This is truly a curved ball.

Once upon a time, there was an attribute in AD called:

  userAccountControl - ADS_UF_LOCKOUT = 16 (d) 10 (h)

However, in later versions of Windows Server (e.g. 2008), this was moved to:

  msDS-User-Account-Control-Computed - UF_LOCKOUT = 16 (d) 10 (h).

BUT there was a slight problem. As the name implies this is a computed attribute i.e. it doesn't actually exist. Rather it is computed on the fly. The implication is that it can't be used in a standard search query.

Hence the curved ball.

Some blogs suggest you can use:

filter = "(&(objectClass=user)(lockoutTime>=0))"  

This works in the sense that it refines a potentially huge list to a much smaller one.

However, it is not sufficient. When a user is locked out and then unlocked, this attribute can be set to zero (as opposed to the previous time that was stored). 

Easy enough, change the filter to:

filter = "(&(objectClass=user)(lockoutTime>0))"  

Dream on - that's not a valid filter query language construct.

So this first list has to be iterated through again to check that the user is actually locked.

Lots of code out there to do this e.g.
UserPrincipal oUserPrincipal = GetUser(sUserName); 
or if you want to get fancy - refer c# LDAP check user is locked or not
string attribName = "msDS-User-Account-Control-Computed";
user.RefreshCache(new string[] { attribName });
const int UF_LOCKOUT = 0x0010;
int userFlags = (int)user.Properties[attribName].Value;
if ( (userFlags & UF_LOCKOUT) == UF_LOCKOUT)
    // if this is the case, the account is locked out
    return true;
return false;

To unlock - refer Everything in Active Directory via C#.Net 3.5 (Using System.DirectoryServices.AccountManagement).
UserPrincipal oUserPrincipal = GetUser(sUserName);
To unlock via ADUC, click the Account tab on the user's Properties and then check the "Unlock Account" check box.

Note: You cannot lock an account either programmatically or through ADUC.

The system will lock the account based on the user's password policy e.g. user will be locked out after x invalid attempts. The policy may state that the user many never be locked out.



Anonymous said...

I don't see how ..

UserPrincipal oUserPrincipal = GetUser(sUserName); userPrincipal.IsAccountLockedOut();


GetUser doesn't exist. What version of VS are you using?

nzpcmad said...

Refer the link to " Everything in Active Directory ..." above.

Anonymous said...

what about (!lockoutTime<=0)
and "msDS-User-Account-Control-Computed" CAN be used in LDAP query in the first place. But thanks for pointing me to it

Jhon Drake said...

Really very helpful, thanks for sharing this information to unlock account in active directory environment. I found the automate tool from to allow user to self unlock, reset password from login screen and get the entire user status report via Email. It provides safe and secure way for end users.