Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP : How to lock an active directory user account?

i've a working script that allow me to unlock a user account (by setting lockouttime AD attribute to 0) something like this :

$entry["lockouttime"][0]=0;
$mod=ldap_mod_replace($ds,$dn,$entry)

Now I'd like to do the opposite : lock the account. I've read that lockouttime is a system attribute and active directory will not allow us to set its value to something else that 0.

So i'm trying to bind to the server with the user account and a bad password, but this doesn't seem to work.

for($i=0;$i<10;$i++){   
    ldap_bind($ds,$dn, "theWrongPasswd");
}

running this will show this error

Warning: ldap_bind(): Unable to bind to server: Invalid credentials

but the account is still unlock.

Do you have any idea on how can i do this? Thanks in advance.

like image 880
Loïc MICHEL Avatar asked Jan 10 '14 09:01

Loïc MICHEL


People also ask

How do you lock and unlock a user in Active Directory?

Open Active Directory Users and Computers. Right-click on the User whose account you need unlocked and select Properties from the context menu. In the Properties window, click on the Account tab. Select the Unlock Account checkbox.

How do I lock my LDAP account?

An LDAP administrator can administratively lock a user's account by setting the ibm-pwdAccountLocked operational attribute to true. This prevents the user from authenticating successfully to the LDAP server. This example uses the ldapmodify utility to set the ibm-pwdAccountLocked attribute value to true.

How do I lock my windows AD?

A Group Policy Editor console will open. Now, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Account Lockout Policy. Double-click Account Lockout Policy to reveal the three account lockout settings available in AD.


2 Answers

LDAP bind attempts don't count as logon attempts. Using APIs like LogonUser and CreateProcessWithLogon generate logon attempts.

like image 168
Sean Hall Avatar answered Oct 23 '22 05:10

Sean Hall


Locking the user via the userAccountControl's LOCKOUT Flag (0x0010) is not possible. This flag is related to the AD's password policy and will be set by the system if there are too many login attempts. I've tried it myself: After setting the flag and commiting the changes to the AD the changes, the value did not change - no Exception was thrown.

Disabling an account will propably achieve the same thing you want to do. For this you will have to set the ACCOUNTDISABLE Flag (0x0002).

This is the list of all UAC flags: http://support.microsoft.com/kb/305144/en-us

like image 22
wodzu Avatar answered Oct 23 '22 04:10

wodzu