I am trying to lock a user by a setting the pwdAccountLockedTime to 000001010000Z but I only seem to be able to do that as admin, not as another user with an ACI granting them all rights to all user attributes. I realize pwdAccountLockedTime is an operational attribute so that makes sense.
Two questions: Is there a way for an aci to grant rights to specific users to update operational attributes? Is there a better way to lock out a user (e.g. someone who incorrectly answers forgot password security questions too many times) other than binding with an incorrect password until they are locked out by the password policy? Thanks, Hal
