I am using PHP with LDAP to manage some aspects of user accounts within Active Directory. One of the things I needed to do was to reset the accounts of users who had incorrectly entered their password too many times. Initially I thought that the ‘useraccountcontrol’ field was what I needed as this is used to disable an account. However I then realised that locked accounts are a different field (locktimeout) and have a different tickbox in the Active Directory GUI:
![Selection_077](http://blog.redbranch.net/wp-content/uploads/2014/10/Selection_077-300x84.png)
I tested it by locking an account out see below:
![Active Directory Account Locked Disabled](http://blog.redbranch.net/wp-content/uploads/2014/10/Selection_079-300x95.png)
And checking the LDAP values of the locked out account I see that the field ‘lockouttime’ is set as follows:
![Selection_078](http://blog.redbranch.net/wp-content/uploads/2014/10/Selection_078.png)
So in my PHP I just needed to check whether lockouttime exists / is_numeric and unlock it by setting it to zero using ldap_mod_replace.
![PHP LDAP Modify](http://blog.redbranch.net/wp-content/uploads/2014/10/Selection_080-300x57.png)