Microsoft KB Archive/250873: Difference between revisions
(importing KB archive) |
m (Text replacement - """ to """) |
||
Line 48: | Line 48: | ||
When you are using a program to read and reset the user account lockout bit, your program may never report a user as locked out. The code you are using may look like the following sample script (written in the Visual Basic Scripting Edition). | When you are using a program to read and reset the user account lockout bit, your program may never report a user as locked out. The code you are using may look like the following sample script (written in the Visual Basic Scripting Edition). | ||
<pre class="codesample">Set oUser = GetObject( | <pre class="codesample">Set oUser = GetObject("LDAP://cn=locked out user,cn=Users,DC=domain,DC=com") | ||
if oUser.IsAccountLocked then | if oUser.IsAccountLocked then | ||
WScript.Echo | WScript.Echo "User is locked out" | ||
else | else | ||
WScript.Echo | WScript.Echo "User is not locked out" | ||
end if | end if | ||
</pre> | </pre> | ||
Line 70: | Line 70: | ||
To read or reset the lockout bit, use the WinNT provider to gain access to Active Directory. The following sample VBScript demonstrates this method. | To read or reset the lockout bit, use the WinNT provider to gain access to Active Directory. The following sample VBScript demonstrates this method. | ||
<pre class="codesample">Set oUser = GetObject( | <pre class="codesample">Set oUser = GetObject("WinNT://domainname/username") | ||
if oUser.IsAccountLocked then | if oUser.IsAccountLocked then | ||
WScript.Echo | WScript.Echo "User is locked out" | ||
else | else | ||
WScript.Echo | WScript.Echo "User is not locked out" | ||
end if | end if | ||
</pre> | </pre> | ||
Line 84: | Line 84: | ||
== STATUS == | == STATUS == | ||
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the | Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. | ||
</div> | </div> |
Latest revision as of 13:51, 21 July 2020
Article ID: 250873
Article Last Modified on 2/28/2007
APPLIES TO
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Server
This article was previously published under Q250873
SYMPTOMS
When you are using a program to read and reset the user account lockout bit, your program may never report a user as locked out. The code you are using may look like the following sample script (written in the Visual Basic Scripting Edition).
Set oUser = GetObject("LDAP://cn=locked out user,cn=Users,DC=domain,DC=com") if oUser.IsAccountLocked then WScript.Echo "User is locked out" else WScript.Echo "User is not locked out" end if
The userAccountControl property also does not reflect the locked-out status.
CAUSE
The IsAccountLocked property is not accessible by using the Lightweight Directory Access Protocol (LDAP) provider. The lockout flag is not stored in Active Directory, but is created on-the-fly only when you access Active Directory by using the WinNT provider.
RESOLUTION
To read or reset the lockout bit, use the WinNT provider to gain access to Active Directory. The following sample VBScript demonstrates this method.
Set oUser = GetObject("WinNT://domainname/username") if oUser.IsAccountLocked then WScript.Echo "User is locked out" else WScript.Echo "User is not locked out" end if
The userFlags property has the UF_LOCKOUT bit set as well.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
MORE INFORMATION
User lockout uses the user's lockoutTime property. When you access Active Directory by using the LDAP provider, you can use it to determine the lockout status of the user. If it is larger than zero, the user is currently locked out. To undo the lockout, set the value to zero.
LockoutTime is cleared only when the locked-out user attempts to log on. When the lockout time has expired, but the user has not yet tried to log on, lockoutTime may be still set, although the user would be able to successfully log on at that time.
Keywords: kbprb KB250873