The lockoutTime attribute can only be set to zero. If you want to programmatically lock (versus disable) an account, you will need to send enough bad auth attempts to it.
-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Aragon Sent: Wednesday, August 02, 2006 6:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] UAC Question Thank you Tomasz for the clarification on UAC. If I understand you, then if the lockoutTime were set to some non-0 value (a time say in the next year? or last year?) this would trigger the lockout bit to be set. The presumption being that the lockoutTime can be set. David Aragon > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Tomasz Onyszko > Sent: Wednesday, August 02, 2006 12:35 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] UAC Question > > David Aragon wrote: > > http://support.microsoft.com/kb/305144/ discusses the > various property > > flags for the UserAccountControl (UAC). I have tried to > set different > > flags using LDP, ADSIEdit, and vbScript. One flag in particular is > > giving me a lot of grief, LOCKOUT. I can clear the bit, > but can not > > set it. This is useful to set for a number of reasons (for > example it > > will prevent a user from logging into a system, but not > prevent them from getting their voicemail). > > > > Is this normal? Can it be set and if so, how? Is it dependent on > > other settings (ex. lockoutTime) to be set to remain set? > > > Yes, this is normal as lockout status is handled based on > lockoutTime attribute in AD. If You want to check it in > Windows 2003 domain You have to use > msDS-User-Account-Control-Computed attribute. > > AFAIK You would not be able to lockout account via code. I > don't know if it would work for You but If You need to > prevent particular user from logging and keep his account > alive You may specify some workstation he would never be able > to get to as only workstation he is allowed to log on? > > -- > Tomasz Onyszko > http://www.w2k.pl/blog/ - (PL) > http://blogs.dirteam.com/blogs/tomek/ - (EN) > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
