PHP : How to lock an active directory user account?

Question

i've a working script that allow me to unlock a user account (by setting lockouttime AD attribute to 0) something like this :

$entry["lockouttime"][0]=0;
$mod=ldap_mod_replace($ds,$dn,$entry)

Now I'd like to do the opposite : lock the account. I've read that lockouttime is a system attribute and active directory will not allow us to set its value to something else that 0.

So i'm trying to bind to the server with the user account and a bad password, but this doesn't seem to work.

for($i=0;$i<10;$i++){   
    ldap_bind($ds,$dn, "theWrongPasswd");
}

running this will show this error

Warning: ldap_bind(): Unable to bind to server: Invalid credentials

but the account is still unlock.

Do you have any idea on how can i do this? Thanks in advance.

Answer 1

LDAP bind attempts don't count as logon attempts. Using APIs like LogonUser and CreateProcessWithLogon generate logon attempts.

Answer 2

Locking the user via the userAccountControl's LOCKOUT Flag (0x0010) is not possible. This flag is related to the AD's password policy and will be set by the system if there are too many login attempts. I've tried it myself: After setting the flag and commiting the changes to the AD the changes, the value did not change - no Exception was thrown.

Disabling an account will propably achieve the same thing you want to do. For this you will have to set the ACCOUNTDISABLE Flag (0x0002).

This is the list of all UAC flags: http://support.microsoft.com/kb/305144/en-us