[Samba] Account locked and delayed user data propagation...

Rowland penny rpenny at samba.org
Wed Dec 4 12:05:54 UTC 2019

On 04/12/2019 11:21, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
>    In chel di` si favelave...
>> I think you are over thinking this ;-)
> I'm simply applying the policy... ;-)
> 	https://docs.microsoft.com/it-it/windows/win32/adschema/a-lockouttime
> say at the bottom:
>   This attribute value is only reset when the account is logged onto successfully.
>   This means that this value may be non zero, yet the account is not locked out.
>   To accurately determine if the account is locked out, you must add the Lockout-Duration
>   to this time and compare the result to the current time, accounting for local time zones
>   and daylight savings time.
>> So, all you need to do, check for the lockouttime attribute and if found and
>> it isn't '0', set it to '0'
> Better to fire up a bug? Or there's an operational field like
> 'LockoutExpiration' to test with?
> Thanks.
Well, yes, it will be unlocked automatically and 'lockoutTime' set to 
'0', but we are talking about a script to do this if this doesn't occur.

If you go here: http://www.selfadsi.org/extended-ad/user-unlock.htm

go down to: Unlock with the attribute lockoutTime

It says:

The easiest unlock method is based on the *lockoutTime 
<http://www.selfadsi.org/ads-attributes/user-lockoutTime.htm>* attribute 
and works for all Active Directory versions since Windows 2000: The 
attribute lockoutTime holds the date and time of the account lock event 
- but the value is stored in the complex format of a Microsoft DateTime 
Interval timestamp 
(64-Bit Long 'Integer8': 100-nanosecond steps since 01/01/1600). 
Fortunately, we don't have to calculate a certain value in order to 
unlock the regarding account: It's enough to write a Null value into the 
lockoutTime attribute

i.e. replace whatever is in lockoutTime with a '0'


More information about the samba mailing list