Discussion:
Lock an account in Active Directory using LDAP API
(too old to reply)
User
2006-10-27 22:27:15 UTC
Permalink
I am trying to lock an account in Active Directory using LDAP (Java)
API. I try to set the attribute userAccountControl to 528 (512 + 16).
It takes the change but when I query the user object immediately it is
set to 512.

I am assuming I will have to change other attributes in conjunction
with userAccountControl. I tried to set the attribute "lockoutTime" but
I can't change it.

Any ideas on locking the Active Directory account programatically. I
was able to disable (514) though. Just can't lock.
Joe Kaplan
2006-10-27 22:53:08 UTC
Permalink
You can't. The actual bit on userAccountControl isn't used by AD/LDAP.
That is a wierd hold-over flag from the NT domain controller days.

As you have discovered, you can't set lockoutTime to a value either. That
is managed by the system.

The only way to lock out an account programmatically via LDAP is to actually
bind incorrectly enough times in succession to trip the lockout policy.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Post by User
I am trying to lock an account in Active Directory using LDAP (Java)
API. I try to set the attribute userAccountControl to 528 (512 + 16).
It takes the change but when I query the user object immediately it is
set to 512.
I am assuming I will have to change other attributes in conjunction
with userAccountControl. I tried to set the attribute "lockoutTime" but
I can't change it.
Any ideas on locking the Active Directory account programatically. I
was able to disable (514) though. Just can't lock.
Joe Richards [MVP]
2006-10-28 05:15:10 UTC
Permalink
Why do you want to lock an account versus expire or disable it?

As JoeK mentions, you can't programmatically lock an account except by
generating bad auth.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
Post by User
I am trying to lock an account in Active Directory using LDAP (Java)
API. I try to set the attribute userAccountControl to 528 (512 + 16).
It takes the change but when I query the user object immediately it is
set to 512.
I am assuming I will have to change other attributes in conjunction
with userAccountControl. I tried to set the attribute "lockoutTime" but
I can't change it.
Any ideas on locking the Active Directory account programatically. I
was able to disable (514) though. Just can't lock.
Continue reading on narkive:
Loading...