Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to programmatically read the lockout flag in Windows 2000 and in Windows Server 2003


View products that this article applies to.

Symptoms

When you are using a program to read and reset the user account lockout bit, your program may never report a user as locked out. The code you are using may look like the following sample script (written in the Visual Basic Scripting Edition).
Set oUser = GetObject("LDAP://cn=locked out user,cn=Users,DC=domain,DC=com")
if oUser.IsAccountLocked then
  WScript.Echo "User is locked out"
else
  WScript.Echo "User is not locked out"
end if
				
The userAccountControl property also does not reflect the locked-out status.

↑ Back to the top


Cause

The IsAccountLocked property is not accessible by using the Lightweight Directory Access Protocol (LDAP) provider. The lockout flag is not stored in Active Directory, but is created on-the-fly only when you access Active Directory by using the WinNT provider.

↑ Back to the top


Resolution

To read or reset the lockout bit, use the WinNT provider to gain access to Active Directory. The following sample VBScript demonstrates this method.
Set oUser = GetObject("WinNT://domainname/username")
if oUser.IsAccountLocked then
  WScript.Echo "User is locked out"
else
  WScript.Echo "User is not locked out"
end if
				
The userFlags property has the UF_LOCKOUT bit set as well.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


More information

User lockout uses the user's lockoutTime property. When you access Active Directory by using the LDAP provider, you can use it to determine the lockout status of the user. If it is larger than zero, the user is currently locked out. To undo the lockout, set the value to zero.

LockoutTime is cleared only when the previously locked-out user tries to log on. When the lockout time has expired but the user has not yet tried to log on, lockoutTime may be still set, although the user would be able to successfully log on at that time.

↑ Back to the top


Keywords: kbprb, KB250873

↑ Back to the top

Article Info
Article ID : 250873
Revision : 5
Created on : 2/11/2009
Published on : 2/11/2009
Exists online : False
Views : 128