i've a working script that allow me to unlock a user account (by setting lockouttime AD attribute to 0) something like this :
$entry["lockouttime"][0]=0;
$mod=ldap_mod_replace($ds,$dn,$entry)
Now I'd like to do the opposite : lock the account. I've read that lockouttime is a system attribute and active directory will not allow us to set its value to something else that 0.
So i'm trying to bind to the server with the user account and a bad password, but this doesn't seem to work.
for($i=0;$i<10;$i++){
ldap_bind($ds,$dn, "theWrongPasswd");
}
running this will show this error
Warning: ldap_bind(): Unable to bind to server: Invalid credentials
but the account is still unlock.
Do you have any idea on how can i do this? Thanks in advance.
Open Active Directory Users and Computers. Right-click on the User whose account you need unlocked and select Properties from the context menu. In the Properties window, click on the Account tab. Select the Unlock Account checkbox.
An LDAP administrator can administratively lock a user's account by setting the ibm-pwdAccountLocked operational attribute to true. This prevents the user from authenticating successfully to the LDAP server. This example uses the ldapmodify utility to set the ibm-pwdAccountLocked attribute value to true.
A Group Policy Editor console will open. Now, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Account Lockout Policy. Double-click Account Lockout Policy to reveal the three account lockout settings available in AD.
LDAP bind attempts don't count as logon attempts. Using APIs like LogonUser and CreateProcessWithLogon generate logon attempts.
Locking the user via the userAccountControl
's LOCKOUT
Flag (0x0010
) is not possible. This flag is related to the AD's password policy and will be set by the system if there are too many login attempts. I've tried it myself: After setting the flag and commiting the changes to the AD the changes, the value did not change - no Exception was thrown.
Disabling an account will propably achieve the same thing you want to do. For this you will have to set the ACCOUNTDISABLE
Flag (0x0002
).
This is the list of all UAC flags: http://support.microsoft.com/kb/305144/en-us
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With