Unlocking Active Directory Accounts using LDAP

I am using PHP with LDAP to manage some aspects of user accounts within Active Directory. One of the things I needed to do was to reset the accounts of users who had incorrectly entered their password too many times. Initially I thought that the ‘useraccountcontrol’ field was what I needed as this is used to disable an account. However I then realised that locked accounts are a different field (locktimeout) and have a different tickbox in the Active Directory GUI:

Selection_077

I tested it by locking an account out see below:

 

Active Directory Account Locked Disabled

And checking the LDAP values of the locked out account I see that the field ‘lockouttime’ is set as follows:

Selection_078

So in my PHP I just needed to check whether lockouttime exists / is_numeric and unlock it by setting it to zero using ldap_mod_replace.

PHP LDAP Modify

 

 

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">