Account Lockout issues between Active Directory and eDirectory

Document ID:3513830
Creation Date:17-Dec-2007
Modified Date:26-Apr-2012
- Micro Focus Products:
  Identity Manager

Environment

Novell Identity Manager 3.5.1

Novell Identity Manager Driver - Active Directory

Situation

Currently the IDM Active Directory driver only syncs an unlock of the Account Lockout value from eDirectory to Active Directory. Why can IDM not lockout the account in Active Directory and why can it not sync the value to eDirectory. Is there any way around this.

Resolution

Whether or not an account is locked out in Active Directory is determined by a few attribute values.

First they system looks at the badPwdCount attribute in Active Directory. This is a Non-replicated value. The badPwdCount attribute specifies the number of times the user attempted to log on to the account using an incorrect password. This attribute is maintained separately on each domain controller in the domain. A value of 0 indicates that the value is unknown.

To get an accurate value for the user's total bad password attempts in the domain, each domain controller in the domain must be queried and the sum of the values should be used.

Next is the Lockout-Time Attribute.

This attribute value is only reset when the account is logged onto successfully. This means that this value may be non zero, yet the account is not locked out. To accurately determine if the account is locked out, you must add the Lockout-Duration [ http://msdn2.microsoft.com/en-us/library/ms676840(printer).aspx ] to this time and compare the result to the current time, accounting for local time zones and daylight savings time.

Also there is the Lockout-Threshold Attribute
The number of invalid logon attempts that are permitted before the account is locked out.

-userAccountControl
The userAccountControl attribute specifies flags that control password, lockout, disable/enable, script, and home directory behavior for the user. This attribute also contains a flag that indicates the account type of the object. The user object usually has the UF_NORMAL_ACCOUNT set. (512 or 0x0200 value)

The rest of the explanation about User Account control (suggested reading) is at:
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/security_properties.asp
Other relevant attributes:
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_lockouttime.asp
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_lockoutduration.asp
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_lockoutthreshold.asp

- http://support.microsoft.com/kb/305144

Example Policy that will reset a locked AD Account. This rule set to execute based upon the description changing. You will have to modify that to something relevent to execute your rule. This rule was also written with the AD Driver running on a Windows 2000 Domain Controller.

<?xml version="1.0" encoding="UTF-8"?><policy>
<rule>
  <description>Reset Lockout</description>
  <conditions>
   <and>
    <if-op-attr name="Description" op="changing"/>
   </and>
  </conditions>
  <actions>
   <do-add-dest-attr-value name="userAccountControl">
    <arg-value type="int">
     <token-text xml:space="preserve">512</token-text>
    </arg-value>
   </do-add-dest-attr-value>
  </actions>
</rule>
</policy>

+ Novell Identity Manager Compliance Management Resource Kit & Analyzer

+ Novell Identity Manager Implementing Password Management