Discussion:
How to Lock ADAM account
(too old to reply)
Oscar P.
2005-05-24 18:00:03 UTC
Permalink
I want to be able to synchronize Account Locked Out condition when they
occur in AD with associated accounts in ADAM but haven't determined what
atttibute to target in ADAM. The ms-ds-UserAccountAutoLocked attribute is
read-only, and the ms-ds-User-Account-Control-Computed attribute isn't an
attribute option in MIIS for some reason.

I can successfully disable accounts in ADAM when they are disabled in AD,
with the following code in the MapAttributesForExport Sub of a MA extension,
but am still stumped about how to Lock or Unlock. Is lockoutTime attribute
the key? I want to keep the ADAM locked accounts distinct from the ADAM
disabled accounts, in other words, I don't want to use the
msds-UserAccountDisabled attrib for both a LockOut and Disable condition in
AD.

Select Case mventry("userAccountControl").IntegerValue
Case (currentValue Or ADS_UF_NORMAL_ACCOUNT) And (Not
ADS_UF_ACCOUNTDISABLE)
csentry("msds-UserAccountDisabled").BooleanValue =
False
Case currentValue Or ADS_UF_ACCOUNTDISABLE
csentry("msds-UserAccountDisabled").BooleanValue =
True
End Select

Any ideas?

Much thanks!
Oscar
Joe Richards [MVP]
2005-05-25 00:20:50 UTC
Permalink
Lockouts in AD and AD/AM are handled through the lockoutTime Attribute. This
attribute can only be set to 0 by non-system processes.

Determining whether an account is locked or not is a little involved. The value
of lockoutTime will be the time the account was locked out or it will be
zero/non-existent. Accounts that lockout will not automatically clear the
attribute when the account lockout time expires, the lockout value will be reset
when a successful auth occurs. In order to determine if an account is currently
locked, you need to retrieve the lockoutTime value, add onto it the lockout
policy value (retrieved from the domain NC Head) and then compare that to the
current time/date.

joe



--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Oscar P.
I want to be able to synchronize Account Locked Out condition when they
occur in AD with associated accounts in ADAM but haven't determined what
atttibute to target in ADAM. The ms-ds-UserAccountAutoLocked attribute is
read-only, and the ms-ds-User-Account-Control-Computed attribute isn't an
attribute option in MIIS for some reason.
I can successfully disable accounts in ADAM when they are disabled in AD,
with the following code in the MapAttributesForExport Sub of a MA extension,
but am still stumped about how to Lock or Unlock. Is lockoutTime attribute
the key? I want to keep the ADAM locked accounts distinct from the ADAM
disabled accounts, in other words, I don't want to use the
msds-UserAccountDisabled attrib for both a LockOut and Disable condition in
AD.
Select Case mventry("userAccountControl").IntegerValue
Case (currentValue Or ADS_UF_NORMAL_ACCOUNT) And (Not
ADS_UF_ACCOUNTDISABLE)
csentry("msds-UserAccountDisabled").BooleanValue =
False
Case currentValue Or ADS_UF_ACCOUNTDISABLE
csentry("msds-UserAccountDisabled").BooleanValue =
True
End Select
Any ideas?
Much thanks!
Oscar
Oscar P.
2005-05-25 16:41:04 UTC
Permalink
Thanks Joe. But if ADAM lockoutTime can only be set to zero by a non-system
process, that implies that MIIS can't be used to lockout a given account.
How would that synch take place?

Also, can't the ADS_UF_LOCKOUT flag of userAccountControl attrib be used to
determine lockout status in AD?

Thanks again.
Oscar
Post by Joe Richards [MVP]
Lockouts in AD and AD/AM are handled through the lockoutTime Attribute. This
attribute can only be set to 0 by non-system processes.
Determining whether an account is locked or not is a little involved. The value
of lockoutTime will be the time the account was locked out or it will be
zero/non-existent. Accounts that lockout will not automatically clear the
attribute when the account lockout time expires, the lockout value will be reset
when a successful auth occurs. In order to determine if an account is currently
locked, you need to retrieve the lockoutTime value, add onto it the lockout
policy value (retrieved from the domain NC Head) and then compare that to the
current time/date.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Oscar P.
I want to be able to synchronize Account Locked Out condition when they
occur in AD with associated accounts in ADAM but haven't determined what
atttibute to target in ADAM. The ms-ds-UserAccountAutoLocked attribute is
read-only, and the ms-ds-User-Account-Control-Computed attribute isn't an
attribute option in MIIS for some reason.
I can successfully disable accounts in ADAM when they are disabled in AD,
with the following code in the MapAttributesForExport Sub of a MA extension,
but am still stumped about how to Lock or Unlock. Is lockoutTime attribute
the key? I want to keep the ADAM locked accounts distinct from the ADAM
disabled accounts, in other words, I don't want to use the
msds-UserAccountDisabled attrib for both a LockOut and Disable condition in
AD.
Select Case mventry("userAccountControl").IntegerValue
Case (currentValue Or ADS_UF_NORMAL_ACCOUNT) And (Not
ADS_UF_ACCOUNTDISABLE)
csentry("msds-UserAccountDisabled").BooleanValue =
False
Case currentValue Or ADS_UF_ACCOUNTDISABLE
csentry("msds-UserAccountDisabled").BooleanValue =
True
End Select
Any ideas?
Much thanks!
Oscar
Joe Richards [MVP]
2005-05-26 02:02:47 UTC
Permalink
Correct, MIIS would not be able to force this state unless they put a special
hook into AD/AM for it.

ADS_UF_LOCKOUT can only be used with the WinNT Provider, it will not work using
the LDAP providers or the LDAP API.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Oscar P.
Thanks Joe. But if ADAM lockoutTime can only be set to zero by a non-system
process, that implies that MIIS can't be used to lockout a given account.
How would that synch take place?
Also, can't the ADS_UF_LOCKOUT flag of userAccountControl attrib be used to
determine lockout status in AD?
Thanks again.
Oscar
Post by Joe Richards [MVP]
Lockouts in AD and AD/AM are handled through the lockoutTime Attribute. This
attribute can only be set to 0 by non-system processes.
Determining whether an account is locked or not is a little involved. The value
of lockoutTime will be the time the account was locked out or it will be
zero/non-existent. Accounts that lockout will not automatically clear the
attribute when the account lockout time expires, the lockout value will be reset
when a successful auth occurs. In order to determine if an account is currently
locked, you need to retrieve the lockoutTime value, add onto it the lockout
policy value (retrieved from the domain NC Head) and then compare that to the
current time/date.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Oscar P.
I want to be able to synchronize Account Locked Out condition when they
occur in AD with associated accounts in ADAM but haven't determined what
atttibute to target in ADAM. The ms-ds-UserAccountAutoLocked attribute is
read-only, and the ms-ds-User-Account-Control-Computed attribute isn't an
attribute option in MIIS for some reason.
I can successfully disable accounts in ADAM when they are disabled in AD,
with the following code in the MapAttributesForExport Sub of a MA extension,
but am still stumped about how to Lock or Unlock. Is lockoutTime attribute
the key? I want to keep the ADAM locked accounts distinct from the ADAM
disabled accounts, in other words, I don't want to use the
msds-UserAccountDisabled attrib for both a LockOut and Disable condition in
AD.
Select Case mventry("userAccountControl").IntegerValue
Case (currentValue Or ADS_UF_NORMAL_ACCOUNT) And (Not
ADS_UF_ACCOUNTDISABLE)
csentry("msds-UserAccountDisabled").BooleanValue =
False
Case currentValue Or ADS_UF_ACCOUNTDISABLE
csentry("msds-UserAccountDisabled").BooleanValue =
True
End Select
Any ideas?
Much thanks!
Oscar
Oscar P.
2005-06-03 18:09:14 UTC
Permalink
I've determined that account lockout can be propogated from AD to ADAM simply
through a direct mapping of the lockoutTime attribute. Whenever the
lockoutTime attribute in ADAM is non-zero, the ms-ds-UserAccountAutoLocked is
automatically set to TRUE. Once lockoutTime becomes zero again,
ms-ds-UserAccountAutoLocked automatically changes back to FALSE. This only
works if the ADAM password policies are not disabled.

Oscar.
Post by Joe Richards [MVP]
Correct, MIIS would not be able to force this state unless they put a special
hook into AD/AM for it.
ADS_UF_LOCKOUT can only be used with the WinNT Provider, it will not work using
the LDAP providers or the LDAP API.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Oscar P.
Thanks Joe. But if ADAM lockoutTime can only be set to zero by a non-system
process, that implies that MIIS can't be used to lockout a given account.
How would that synch take place?
Also, can't the ADS_UF_LOCKOUT flag of userAccountControl attrib be used to
determine lockout status in AD?
Thanks again.
Oscar
Post by Joe Richards [MVP]
Lockouts in AD and AD/AM are handled through the lockoutTime Attribute. This
attribute can only be set to 0 by non-system processes.
Determining whether an account is locked or not is a little involved. The value
of lockoutTime will be the time the account was locked out or it will be
zero/non-existent. Accounts that lockout will not automatically clear the
attribute when the account lockout time expires, the lockout value will be reset
when a successful auth occurs. In order to determine if an account is currently
locked, you need to retrieve the lockoutTime value, add onto it the lockout
policy value (retrieved from the domain NC Head) and then compare that to the
current time/date.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Oscar P.
I want to be able to synchronize Account Locked Out condition when they
occur in AD with associated accounts in ADAM but haven't determined what
atttibute to target in ADAM. The ms-ds-UserAccountAutoLocked attribute is
read-only, and the ms-ds-User-Account-Control-Computed attribute isn't an
attribute option in MIIS for some reason.
I can successfully disable accounts in ADAM when they are disabled in AD,
with the following code in the MapAttributesForExport Sub of a MA extension,
but am still stumped about how to Lock or Unlock. Is lockoutTime attribute
the key? I want to keep the ADAM locked accounts distinct from the ADAM
disabled accounts, in other words, I don't want to use the
msds-UserAccountDisabled attrib for both a LockOut and Disable condition in
AD.
Select Case mventry("userAccountControl").IntegerValue
Case (currentValue Or ADS_UF_NORMAL_ACCOUNT) And (Not
ADS_UF_ACCOUNTDISABLE)
csentry("msds-UserAccountDisabled").BooleanValue =
False
Case currentValue Or ADS_UF_ACCOUNTDISABLE
csentry("msds-UserAccountDisabled").BooleanValue =
True
End Select
Any ideas?
Much thanks!
Oscar
Joe Richards [MVP]
2005-06-03 20:57:44 UTC
Permalink
That is quite interesting, you can arbitrarily set the lockoutTime attribute in
AD/AM to any value you want. I swear I previously tested that and it didn't
work, though I can't say if I did this with the release version of AD/AM or not.
Thanks for the info.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Oscar P.
I've determined that account lockout can be propogated from AD to ADAM simply
through a direct mapping of the lockoutTime attribute. Whenever the
lockoutTime attribute in ADAM is non-zero, the ms-ds-UserAccountAutoLocked is
automatically set to TRUE. Once lockoutTime becomes zero again,
ms-ds-UserAccountAutoLocked automatically changes back to FALSE. This only
works if the ADAM password policies are not disabled.
Oscar.
Post by Joe Richards [MVP]
Correct, MIIS would not be able to force this state unless they put a special
hook into AD/AM for it.
ADS_UF_LOCKOUT can only be used with the WinNT Provider, it will not work using
the LDAP providers or the LDAP API.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Oscar P.
Thanks Joe. But if ADAM lockoutTime can only be set to zero by a non-system
process, that implies that MIIS can't be used to lockout a given account.
How would that synch take place?
Also, can't the ADS_UF_LOCKOUT flag of userAccountControl attrib be used to
determine lockout status in AD?
Thanks again.
Oscar
Post by Joe Richards [MVP]
Lockouts in AD and AD/AM are handled through the lockoutTime Attribute. This
attribute can only be set to 0 by non-system processes.
Determining whether an account is locked or not is a little involved. The value
of lockoutTime will be the time the account was locked out or it will be
zero/non-existent. Accounts that lockout will not automatically clear the
attribute when the account lockout time expires, the lockout value will be reset
when a successful auth occurs. In order to determine if an account is currently
locked, you need to retrieve the lockoutTime value, add onto it the lockout
policy value (retrieved from the domain NC Head) and then compare that to the
current time/date.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Oscar P.
I want to be able to synchronize Account Locked Out condition when they
occur in AD with associated accounts in ADAM but haven't determined what
atttibute to target in ADAM. The ms-ds-UserAccountAutoLocked attribute is
read-only, and the ms-ds-User-Account-Control-Computed attribute isn't an
attribute option in MIIS for some reason.
I can successfully disable accounts in ADAM when they are disabled in AD,
with the following code in the MapAttributesForExport Sub of a MA extension,
but am still stumped about how to Lock or Unlock. Is lockoutTime attribute
the key? I want to keep the ADAM locked accounts distinct from the ADAM
disabled accounts, in other words, I don't want to use the
msds-UserAccountDisabled attrib for both a LockOut and Disable condition in
AD.
Select Case mventry("userAccountControl").IntegerValue
Case (currentValue Or ADS_UF_NORMAL_ACCOUNT) And (Not
ADS_UF_ACCOUNTDISABLE)
csentry("msds-UserAccountDisabled").BooleanValue =
False
Case currentValue Or ADS_UF_ACCOUNTDISABLE
csentry("msds-UserAccountDisabled").BooleanValue =
True
End Select
Any ideas?
Much thanks!
Oscar
Continue reading on narkive:
Loading...