Marco Gaiarin
2019-Dec-04 11:21 UTC
[Samba] Account locked and delayed user data propagation...
Mandi! Rowland penny via samba In chel di` si favelave...> I think you are over thinking this ;-)I'm simply applying the policy... ;-) https://docs.microsoft.com/it-it/windows/win32/adschema/a-lockouttime say at the bottom: This attribute value is only reset when the account is logged onto successfully. This means that this value may be non zero, yet the account is not locked out. To accurately determine if the account is locked out, you must add the Lockout-Duration to this time and compare the result to the current time, accounting for local time zones and daylight savings time.> So, all you need to do, check for the lockouttime attribute and if found and > it isn't '0', set it to '0'Better to fire up a bug? Or there's an operational field like 'LockoutExpiration' to test with? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland penny
2019-Dec-04 12:05 UTC
[Samba] Account locked and delayed user data propagation...
On 04/12/2019 11:21, Marco Gaiarin via samba wrote:> Mandi! Rowland penny via samba > In chel di` si favelave... > >> I think you are over thinking this ;-) > I'm simply applying the policy... ;-) > > https://docs.microsoft.com/it-it/windows/win32/adschema/a-lockouttime > > say at the bottom: > > This attribute value is only reset when the account is logged onto successfully. > This means that this value may be non zero, yet the account is not locked out. > To accurately determine if the account is locked out, you must add the Lockout-Duration > to this time and compare the result to the current time, accounting for local time zones > and daylight savings time. > > >> So, all you need to do, check for the lockouttime attribute and if found and >> it isn't '0', set it to '0' > Better to fire up a bug? Or there's an operational field like > 'LockoutExpiration' to test with? > > > Thanks. >Well, yes, it will be unlocked automatically and 'lockoutTime' set to '0', but we are talking about a script to do this if this doesn't occur. If you go here: http://www.selfadsi.org/extended-ad/user-unlock.htm go down to: Unlock with the attribute lockoutTime It says: The easiest unlock method is based on the *lockoutTime <http://www.selfadsi.org/ads-attributes/user-lockoutTime.htm>* attribute and works for all Active Directory versions since Windows 2000: The attribute lockoutTime holds the date and time of the account lock event - but the value is stored in the complex format of a Microsoft DateTime Interval timestamp <http://www.selfadsi.org/deep-inside/microsoft-integer8-attributes.htm> (64-Bit Long 'Integer8': 100-nanosecond steps since 01/01/1600). Fortunately, we don't have to calculate a certain value in order to unlock the regarding account: It's enough to write a Null value into the lockoutTime attribute i.e. replace whatever is in lockoutTime with a '0' Rowland
Marco Gaiarin
2019-Dec-04 16:36 UTC
[Samba] Account locked and delayed user data propagation...
Mandi! Rowland penny via samba In chel di` si favelave...> If you go here: http://www.selfadsi.org/extended-ad/user-unlock.htm > It says:So, seems to me that 'Lockout-Duration' is an 'unused option'... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)