Unlocking Active Directory Accounts using LDAP

I am using PHP with LDAP to manage some aspects of user accounts within Active Directory. One of the things I needed to do was to reset the accounts of users who had incorrectly entered their password too many times. Initially I thought that the ‘useraccountcontrol’ field was what I needed as this is used to disable an account. However I then realised that locked accounts are a different field (locktimeout) and have a different tickbox in the Active Directory GUI:


I tested it by locking an account out see below:


Active Directory Account Locked Disabled

And checking the LDAP values of the locked out account I see that the field ‘lockouttime’ is set as follows:


So in my PHP I just needed to check whether lockouttime exists / is_numeric and unlock it by setting it to zero using ldap_mod_replace.




Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>