[Samba] Account locked and delayed user data propagation...
rpenny at samba.org
Wed Dec 4 12:05:54 UTC 2019
On 04/12/2019 11:21, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
> In chel di` si favelave...
>> I think you are over thinking this ;-)
> I'm simply applying the policy... ;-)
> say at the bottom:
> This attribute value is only reset when the account is logged onto successfully.
> This means that this value may be non zero, yet the account is not locked out.
> To accurately determine if the account is locked out, you must add the Lockout-Duration
> to this time and compare the result to the current time, accounting for local time zones
> and daylight savings time.
>> So, all you need to do, check for the lockouttime attribute and if found and
>> it isn't '0', set it to '0'
> Better to fire up a bug? Or there's an operational field like
> 'LockoutExpiration' to test with?
Well, yes, it will be unlocked automatically and 'lockoutTime' set to
'0', but we are talking about a script to do this if this doesn't occur.
If you go here: http://www.selfadsi.org/extended-ad/user-unlock.htm
go down to: Unlock with the attribute lockoutTime
The easiest unlock method is based on the *lockoutTime
and works for all Active Directory versions since Windows 2000: The
attribute lockoutTime holds the date and time of the account lock event
- but the value is stored in the complex format of a Microsoft DateTime
(64-Bit Long 'Integer8': 100-nanosecond steps since 01/01/1600).
Fortunately, we don't have to calculate a certain value in order to
unlock the regarding account: It's enough to write a Null value into the
i.e. replace whatever is in lockoutTime with a '0'
More information about the samba