I am using PHP with LDAP to manage some aspects of user accounts within Active Directory. One of the things I needed to do was to reset the accounts of users who had incorrectly entered their password too many times. Initially I thought that the ‘useraccountcontrol’ field was what I needed as this is used to disable an account. However I then realised that locked accounts are a different field (locktimeout) and have a different tickbox in the Active Directory GUI:
I tested it by locking an account out see below:
And checking the LDAP values of the locked out account I see that the field ‘lockouttime’ is set as follows:
So in my PHP I just needed to check whether lockouttime exists / is_numeric and unlock it by setting it to zero using ldap_mod_replace.