Monday, September 9, 2013

Locate a locked Active Directory user account attribute by LDAP

In "Search and unlock an Active Directory user account by PowerShell", we can easily locate a locked user account and unlock it. However, I would like to know which attribute related to a locked Active Directory user account.

In order to find this Active Directory attribute, I tried to use "Ldp" to locate it.

Test environment
1) 2 user accounts in Active Directory users container named User1 and User2.
2) Enabled "Account Lockout Policy" by GPMC in my testing domain.

3) 2 Server named DC01 and MS01. DC01 is a domain controller and MS01 is a member server.

1. Log on and Log off User1 and User2 on MS01.
2. On DC01, log in as Domain Administrator.
3. Launch "Ldp" by performing "ldp" in a Command Prompt.

4. On the menu of "Ldp", click "Connection > Connect".

5. On "Connect" window, next to "Server", enter "localhost".

6. Click "OK".
7. On the menu of "Ldp", click "Connection > Bind".

8. On "Bind" window, click "OK".

9. On the menu of "Ldp", click "View > Tree".

10. On "Tree View" window, next to "BaseDN", select the domain directory partition.

11. Click "OK".
12. On left pane of "Ldp", expand "Domain name > CN=Users,DC=domain,DC=local".
13. Double-click "CN=User1,CN=Users,DC=domain,DC=local".

14. Double-click "CN=User2,CN=Users,DC=domain,DC=local".

We can all attributes of both accounts.

15. Try to use a wrong password to log in User1 on MS01 three times.
16. Back to DC01, double-click "CN=User1,CN=Users,DC=domain,DC=local".

There is a new attribute, lockoutTime, to be added in User1 and this value is greater than 0.

17. Launch "Active Directory Users and Computers".
18. Navigate to "Users" container, double-click "User1".
19. On "User1 Properties" window, select "Account" tab.
20. Check "Unlock account. This account is currently locked out on this Active Directory Domain Controller".

21. Click "OK".
22. Back to "Ldp", double-click "CN=User1,CN=Users,DC=domain,DC=local".

As a result, the attribute, lockouttime, was reset to 0. 

I assumed that If I use ldap to query the attribute of users, lockouttime, is greater than 0, user accounts are locked.

This posting is provided “AS IS” with no warranties, and confers no rights!

No comments:

Post a Comment