0

In our spring application we're authenticating users against a Windows AD server. When any user has its credentials expired a form is shown so he/she can change its password. Before updating it in AD, we're checking if its account is lockedout, so we're verifying if the account attribute "lockoutTime" is bigger than 0.

We are using this lockoutTime verification in some other places of the platform without problems, but when the credentials are expired it seems that lockoutTime gets also the time when they expired, although the account is not actually locked.

How could we verify this difference: user is locked when lockoutTime is bigger than 0, except if its credentials have expired (or anything else) ?

Edit: Not the same that this question (or some similar others), where its asked about looking for locked accounts only. My problem is that the lockedTimeout attribute is not enough as it could be also setted to another number different to 0 when the user has its password expired. The password is expired, but the account is not locked, but lockoutTime is > 0.

Goyo
  • 455
  • 1
  • 9
  • 23
  • Possible duplicate of [Detect if an Active Directory user account is locked using LDAP in Python](https://stackoverflow.com/questions/11795294/detect-if-an-active-directory-user-account-is-locked-using-ldap-in-python) – Am_I_Helpful Jun 05 '18 at 17:14
  • Is not a duplicate of that topic. They had a problem with the lockoutDuration, but this is a policy we don't have in our system. Our problem is with credentials expired that also increases de lockoutTime attribute – Goyo Jun 07 '18 at 09:46
  • It seems, that the userAccountControl attribute has password expired bit (https://msdn.microsoft.com/ru-ru/library/windows/desktop/ms680832(v=vs.85).aspx). It also has account locked out bit, but as i recall it does not work on some os. Check the combination of lockoutTime and userAccountControl attributes – oldovets Jun 08 '18 at 03:14
  • oldovets, that is... lockOut bit is not changed in my AD (Windows Server 2008). So, I have no way to make a difference between a lockedAccount and an account with its password expired (which could has been also locked, couldn't it?) – Goyo Jun 18 '18 at 06:39

0 Answers0