How to block a user account of an active directory?

Question

How to block a user account of an active directory?

I have a working script that allows me to unlock a user account (by setting the AD time lock attribute to 0) something like this:

$entry["lockouttime"][0]=0; $mod=ldap_mod_replace($ds,$dn,$entry)

Now I would like to do the opposite: lock the account. I read that lockouttime is a system attribute, and the active directory does not allow us to set its value to something else that is 0.

So, I am trying to associate a server with a user account and a wrong password, but this does not work.

 for($i=0;$i<10;$i++){ ldap_bind($ds,$dn, "theWrongPasswd"); }

starting this operation will show this error

 Warning: ldap_bind(): Unable to bind to server: Invalid credentials

but the account is still unlocked.

Do you have any ideas on how I can do this? Thanks in advance.

+8

php active-directory

Loïc MICHEL Jan 10 '14 at 9:13

source share

5 answers

Sean hall · Answer 1 · 2014-01-17T04:12:19+0000

LDAP binding attempts are not considered login attempts. Using APIs such as LogonUser and CreateProcessWithLogon generate login attempts.

wodzu · Answer 2 · 2014-05-07T10:56:23+0000

Locking a user using the userAccountControl LOCKOUT ( 0x0010 ) flag is not possible . This flag is associated with the AD password policy and will be set by the system if there are too many login attempts. I tried it myself: after setting the flag and making changes to the AD changes, the value did not change - there was no Exception.

Disabling your account will contribute to what you want to do. To do this, you need to set the flag ACCOUNTDISABLE ( 0x0002 ).

This is a list of all UAC flags: http://support.microsoft.com/kb/305144/en-us

Pez cuckow · Answer 3 · 2014-01-15T12:13:26+0000

Looking at http://support.microsoft.com/kb/305144 , suppose a normal account has a value of 512 for their UAC.

LOCKOUT 0x0010 16 NORMAL_ACCOUNT 0x0200 512

I believe setting it to 528 (lock + regular account) will block the user account.

 $entry["userAccountControl"][0]=512; $mod=ldap_mod_replace($ds,$dn,$entry);

cesar.vega · Answer 4 · 2014-04-22T16:46:32+0000

I recommend that you independently count failed bind attempts using a session variable and block the account yourself based on this.

To lock an account, you need to combine the user account management settings and set the UserAccountControl attribute.

Link http://support.microsoft.com/kb/305144 , the lock will be:

 $controlOption["useraccountcontrol"][0] = '514'; $mod = ldap_modify($ds, $dn, $controlOption);

The value 514, coming from NORMAL_ACCOUNT (512) + ACCOUNTDISABLE (2).

The unlock will be NORMAL_ACCOUNT, 512.

End Code:

 for ($i = 0; $i < 10; $i++) { $result = ldap_bind($ds, $dn, "theWrongPasswd"); if (!$result) { $_SESSION['failed-login']++; } if ($_SESSION['failed-login'] >= $maxCount) { $controlOption["useraccountcontrol"][0] = 512 + 2; $mod = ldap_modify($ds, $dn, $controlOption); } }

Tan Hong Tat · Answer 5 · 2014-01-21T05:52:20+0000

Try the following:

To unlock:

 $acctEntry["lockouttime"][0] = '1'; $mod = ldap_modify($ds, $dn, $acctEntry);

To block:

 $acctEntry["lockouttime"][0] = '0'; $mod = ldap_modify($ds, $dn, $acctEntry);

To turn on:

 $acctEntry["useraccountcontrol"][0] = '512'; $mod = ldap_modify($ds, $dn, $acctEntry);

To disable:

 $acctEntry["useraccountcontrol"][0] = '514'; $mod = ldap_modify($ds, $dn, $acctEntry);

How to block a user account of an active directory?

More articles: