Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.
Background:
An AD user account is forced into a 'Locked' state by forcing multiple failed logon attempts.
The AD GUI shows that user accounts UserAccountControl property is LOCKED.
Then a script is ran under a Domain Admin account the queries that property using dsGetProperty. dsGetProperty returns 512 which indicates a NORMAL account. (When it should be indicating it is LOCKED).
That same script then calls wntUserGetDat which returns 529. This indicates that the wntUserGetDat function can see that account is locked.
Do you have any ideas why the dsgetProperty function is not successfully picking up the locked state on that account?
‘It is not a bug in the extender. It is just reporting what Active Directory is telling it. Active directory has a different mechanism for handling locked out users.I also did some searches at http://groups.google.com and found a few threads that confirm that if the lockoutTime property is not present or 0 then the account is not locked out and <> 0 if it is locked out.I think you need to use the "lockoutTime" property. For example to find all users that may be locked
; Do the search. lResults = dsFindPath(sServerPath, "(&(&(objectCategory=person)(objectClass=user))(lockoutTime>=1))")or to clear a lock on a particular user; Clear the lockout by setting the property to zero. dsSetProperty(sUserPath, "lockoutTime", 0)This is from memory and have not run any of this but I think this is how it works.I think if you were to query the user account using the WinNT name space and the "userFlags" property you would get the same result as you get with the NT extender function wntUserGetDat. Again this is from memory....’
Give the above dsFindPath code a try and let me know if it resolves the issue.
Here is the code that works:
; ; Check if User Account is Locked, if so then Unlock the Account. ; ; AddExtender("WWADS34I.DLL") lockoutTime = "lockoutTime" Server = dsGetProperty("LDAP://rootDSE" , "serverName") Server = ItemExtract(1, Server, ",") Server = ItemExtract(2, Server, "=") ; UserName = "TESTUSER" :LoopAgain UserName = AskLine("AcctLock", "Enter LoginID:", UserName) sObjectPath2 = StrCat("LDAP://", Server, "/CN=", UserName, ",OU=Domain Users,DC=dummy,DC=com") ; flags = dsGetProperty(sObjectPath2, lockoutTime) If (flags == 0) Message("AcctLock", "Account %UserName% is not locked.") Else flags = 0 ; Unlock dsSetProperty(sObjectPath2, lockoutTime, flags) Message("AcctLock lockoutTime", StrCat(UserName, " has been unlocked") ) EndIf ; Exit
Case: closed.
Thanks much for your help, once again!
Article ID: W16788
File Created: 2007:07:03:14:26:16
Last Updated: 2007:07:03:14:26:16