3.1.1.4.5.25 ms-DS-UserAccountAutoLocked

The ms-DS-UserAccountAutoLocked attribute exists on AD LDS but not on AD DS.

Let TO be the object from which the ms-DS-UserAccountAutoLocked attribute is being read. Let ST be the current time, read from the system clock.

If the machine running AD LDS is joined to a domain D, TO!ms-DS-UserAccountAutoLocked is TRUE if both of the following are TRUE:

• The LDAP configurable setting ADAMDisablePasswordPolicies ≠ 1.

• TO!lockoutTime ≠ 0 and either (1) D!lockoutDuration (regarded as an unsigned quantity) < 0x8000000000000000, or (2) ST + D!lockoutDuration (regarded as a signed quantity) ≤ TO!lockoutTime.

If the machine running AD LDS is not joined to a domain, TO!ms-DS-UserAccountAutoLocked is TRUE if both of the following are TRUE:

• The LDAP configurable setting ADAMDisablePasswordPolicies ≠ 1.

• TO!lockoutTime ≠ 0 and (current time - TO!lockoutTime) ≤ X, where X is determined by the policy of the machine on which AD LDS is running.