David Aragon wrote:
http://support.microsoft.com/kb/305144/ discusses the various property flags
for the UserAccountControl (UAC). I have tried to set different flags using
LDP, ADSIEdit, and vbScript. One flag in particular is giving me a lot of
grief, LOCKOUT. I can clear the bit, but can not set it. This is useful to
set for a number of reasons (for example it will prevent a user from logging
into a system, but not prevent them from getting their voicemail).
Is this normal? Can it be set and if so, how? Is it dependent on other
settings (ex. lockoutTime) to be set to remain set?
Yes, this is normal as lockout status is handled based on lockoutTime
attribute in AD. If You want to check it in Windows 2003 domain You have
to use msDS-User-Account-Control-Computed attribute.
AFAIK You would not be able to lockout account via code. I don't know if
it would work for You but If You need to prevent particular user from
logging and keep his account alive You may specify some workstation he
would never be able to get to as only workstation he is allowed to log on?
--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
