Quick note on this attribute, it is constructed, so you can't use it in a query, you can only return it.
-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Wednesday, August 02, 2006 3:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] UAC Question David Aragon wrote: > http://support.microsoft.com/kb/305144/ discusses the various property flags > for the UserAccountControl (UAC). I have tried to set different flags using > LDP, ADSIEdit, and vbScript. One flag in particular is giving me a lot of > grief, LOCKOUT. I can clear the bit, but can not set it. This is useful to > set for a number of reasons (for example it will prevent a user from logging > into a system, but not prevent them from getting their voicemail). > > Is this normal? Can it be set and if so, how? Is it dependent on other > settings (ex. lockoutTime) to be set to remain set? > Yes, this is normal as lockout status is handled based on lockoutTime attribute in AD. If You want to check it in Windows 2003 domain You have to use msDS-User-Account-Control-Computed attribute. AFAIK You would not be able to lockout account via code. I don't know if it would work for You but If You need to prevent particular user from logging and keep his account alive You may specify some workstation he would never be able to get to as only workstation he is allowed to log on? -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx