Detect if an Active Directory user account is locked using LDAP in Python

Question

I\'m validating user logins using python\'s ldap module. When the login fails, I get a ldap.INVALID_CREDENTIALS login, but this can be either because of a wrong password or

Answer 1

lockoutTime is a attribute so the easiest way is to use:

(&(objectClass=user)(lockoutDuration=*))) 

for the non-empty entries.

Update:

However, this value is also set when the password expires, password needs to change etc.

So it needs to be filtered by:

UserPrincipal userPrincipal = new UserPrincipal(context);
bool isLocked = userPrincipal.IsAccountLockedOut();

to get the cases where the user is locked out because they violated the password policy e.g incorrectly entered the password 5 times.