Results 1 to 5 of 5
  1. #1
    Lounger
    Join Date
    Jan 2005
    Location
    Orange, California, USA
    Posts
    33
    Thanks
    0
    Thanked 0 Times in 0 Posts

    ADS - Is the account REALLY locked? (VB6)

    The following code is in a class module I call as a method from a form:

    Public Function IsAccountLocked(oUser As IADsUser) As Boolean



    Dim lckTime As Variant


    On Error Resume Next




    Set lckTime = oUser.Get("lockoutTime")


    If Err.Number <> 0 Then 'Property not found in cache so account not locked
    IsAccountLocked = False
    Else
    If lckTime.HighPart = 0 And lckTime.LowPart = 0 Then 'attribute is present but is zero
    IsAccountLocked = False
    Else
    IsAccountLocked = True 'the attribute has a value set
    End If
    End If

    End Function

    For the most part, this thing works. When a user complains and calls in that their account is locked, this utility allows our help desk to correctly identify the user is locked and can then unlock them. I took it a step further and wrote something that spins through users in an OU in Active Directory and determine if they are currently locked. I locked a test account just to make sure I had a valid return in there. My test user comes up on the report, along with about 4 other users (out of a couple hundred). When I pull up the other users, the check box is disabled as if the user wasn't locked. The user was also able to log in. My test account did show the check in the account locked attribute and was not able to log in.

    Though this is working for us currently, I am a bit concerned that it might not be consistent. Can someone examine the code I listed above and offer any feedback on why we are seeing this?

  2. #2
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: ADS - Is the account REALLY locked? (VB6)

    According to this article.
    <hr>
    This attribute value is only reset when the account is logged onto successfully. This means that this value may be non zero, yet the account is not locked out. To accurately determine if the account is locked out, you must add the Lockout-Duration to this time and compare the result to the current time, accounting for local time zones and daylight savings time.
    <hr>
    Why not just use oUser.IsAccountLocked, as in <!mskb=250873>Microsoft Knowledge Base Article 250873<!/mskb>

    StuartR

  3. #3
    Lounger
    Join Date
    Jan 2005
    Location
    Orange, California, USA
    Posts
    33
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: ADS - Is the account REALLY locked? (VB6)

    Stuart, thanks for your feedback.

    I investigated the IsAccountLocked method using the WinNT call instead of the LDAP as the KB article suggested, and though it never errored, it never reported the lockout accurately. In looking at the other article you referenced it just gives attributes and I am not sure how to translated that into code (I love Microsoft sometimes). But this does give me enough information to search the web now that I know I need to also be looking at evaluating the Lockout-Duration property

  4. #4
    Lounger
    Join Date
    Jan 2005
    Location
    Orange, California, USA
    Posts
    33
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: ADS - Is the account REALLY locked? (VB6)

    Stuart (or anyone), In my searching the web I have found several references to the fact that the lockout duration needs to be tested in relation to the current date/time but I have not found anyone that offered up any example code to accomplish this. Since everyone else seems to just reply

  5. #5
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: ADS - Is the account REALLY locked? (VB6)

    I didn't test this, but a google search for LockoutDuration LockoutTime gave this example on the second page of results.

    StuartR

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •