Programmatically Changing the Lockout Flag in Windows 2000

ID: Q250873

The information in this article applies to:

Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server

SYMPTOMS

When you are using a program to read and reset the user account lockout bit, your program may never report a user as locked out. The code you are using may look like the following sample script (written in the Visual Basic Scripting Edition):


Set oUser = GetObject("LDAP://cn=locked out user,cn=Users,DC=domain,DC=com")
if oUser.IsAccountLocked then
  WScript.Echo "User is locked out"
else
  WScript.Echo "User is not locked out"
end if

The userAccountControl property also does not reflect the locked-out status.

CAUSE

The IsAccountLocked property is not accessible by using the Lightweight Directory Access Protocol (LDAP) provider. The lockout flag is not stored in Active Directory, but is created on-the-fly only when you access Active Directory by using the WinNT provider.

RESOLUTION

To read or reset the lockout bit, use the WinNT provider to gain access to Active Directory. The following sample script (written in VBScript) demonstrates this method:


Set oUser = GetObject("WinNT://domainname/username")
if oUser.IsAccountLocked then
  WScript.Echo "User is locked out"
else
  WScript.Echo "User is not locked out"
end if

The userFlags property has the UF_LOCKOUT bit set as well.

STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.

MORE INFORMATION

User lockout uses the user's lockoutTime property. When you are accessing Active Directory by using the LDAP provider, you can use it to determine the lockout status of the user. If it is larger than zero, the user is currently locked out. To undo the lockout, set the value to zero.

Additional query words:

Keywords : kbprb
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbprb