How to lock an AD account

Hi Lucrezia,

you are allowed to lock AD accounts using AccountlockedOut field, but even not at creation process itself. If you want to do it add a job at the end of process doing the insert which fires an update to AccountlockedOut = true and the following update process will do the job.

May be in some environments the provisioning of lock is not successful (not allowed) so you may use the AccountDisabled field.

regards,

  Tino

Hi Tino,

thanks for the quick response.

On a OneIM demo machine, I've tried adding a step to the process CCC_ADS_ADSAccount_Insert, just after the "Create account". The process is executed fine, but when the update is caught, the provisioning to Active Directory remains frozen with the error:

Error carrying out the user_isaccountlocked_Set operation on object CN=Doe Jane,OU=noLocation,OU=Sites,OU=DEMO,DC=iamdemo,DC=com (Error:[System.Reflection.TargetInvocationException] Exception has been thrown by the target of an invocation. [System.Runtime.InteropServices.COMException] Exception from HRESULT: 0x80005008).
Property vrtIsAccountLocked is set.
1 write operations on properties were deferred and will be run now.
Method Commit() was called on object  CN=Doe Jane,OU=noLocation,OU=Sites,OU=DEMO,DC=iamdemo,DC=com.
Error writing property vrtIsAccountLocked. The modification will rerun after committing object.

I also tried updating the value of AccountLockedOut directly on AD, by browsing on the Synchronization Editor, but I receive the same error message. 

What am I missing?
Thanks,

Lucrezia

Hi Lucrezia,

this is exactly what I meant with : "May be in some environments the provisioning of lock is not successful (not allowed) so you may use the AccountDisabled field."

Your best option is to use the AccountDisabled field.

Regards,

   Tino

Ok I see. Do you also know why in this environments the provisioning of lock is not successful? Is this an AD configuration? This information would be useful in the context of setting up JML processes and creation of AD accounts.

Thank you,
Lucrezia

Hi Lucrezia,

I'm not really sure but the the most likely of all explanations that I am aware of is Microsoft has reserved the permissions for setting the value "true" on the property "IsAccountLocked" to the system in the past (in case of IADSUser interface). Having a look at powershell module "ActiveDirectory" you will notice the same here:  existence of  CMDlet "Unlock-ADAccount" but no "Lock-ADAccount".

Regards,

  Tino

Ok Tino, thank you, that was quite clarifying. 

Regards,

Lucrezia

Hi Lucrezia

If your use case is to prevent a user logging until a certain date/event then I agree, the “accountdisabled” property would be a better option because it is not time based.  The AD lockout is time-based.

I am not sure if it is possible to “lock” an AD account from OneIM – maybe Tino has a way to do this but I do not think it will be through the standard connector. OneIM has an “Unlock” feature in later versions.

My understanding of the Active Directory “user account lockout” feature is that It is designed to be a temporary lockout when bad password attempts are made by a user and is time based. It is controlled by group policies or password policies with an “account lockout threshold” and “account lockout duration”. When the lockout duration expires a user can attempt another logon.

A lockout affects three user attributes in AD and is not a single boolean attribute.

badPwdCount, badPasswordTime, lockoutTime.

OneIM can “Unlock” an AD account, but this is much easier because the badPwdCount and lockoutTime attribute values are reset to 0.

hth