How to check if a user account is locked via PHP/LDAP?

Question

We've created an intranet site that requires the same password as the user's network login, so we use LDAP to check the username/password.

That's fine, but if they enter it incorrectly three times it locks their account out, and one or two users have found this confusing.

Is there anyway at all I could check, using LDAP/PHP whether or not their account is locked, so I can display a little message prompting them to contact IT?

Answer 1

One of AD profile attribute useraccountcontrol. This contains decimal value which can be converted into readable here;

• https://support.microsoft.com/en-us/kb/305144
• http://ananthdeodhar.com/php-active-directory-integration-get-useraccountcontrol-attributes/

Locked can be referring to multiple cases, normally

• ACCOUNTDISABLE 2 / 0x0002 (hexa)
• PASSWORD_EXPIRED 8388608 / 0x800000
• LOCKOUT 16 / 0x0010