Rem: Forcing the Security Subsystem to Lock an Account

By design, Windows OSs don’t let you lock an unlocked account. However, workarounds exist.

Bob Wells

August 10, 2003

2 Min Read
ITPro Today logo in a gray background | ITPro Today


I work as a technician for a university library in which library patrons use public workstations. I want to prevent patrons from logging back on immediately after I have forcibly logged them off of a Windows 2000 Active Directory (AD)—authenticated workstation. Locking an unlocked account while the user is currently logged on would have been a good solution, but Win2K doesn't let you lock an unlocked account. Do you know of a workaround for this Windows OS shortcoming?

The Windows account lockout behavior is by design. Only the OS's security subsystem can lock user accounts. However, you can use a variety of techniques to force the security subsystem to lock an account. For example, you can create a script that performs n number of invalid logon attempts, where n equals your domain's account lockout threshold. By logon attempt, I mean any action that requires an authenticated network connection. The Net Use command is a good example.

Suppose you have a patron named Betty. Betty is logged on to one of the library's workstations, and you want to lock Betty's user account. Simply open a command prompt and run the following Net Use command n times, where n is equal to your domain's account lockout threshold:

C:> net use * \127.0.0.1C$   BadPassword   /USER:DomainNameBetty

(Although this command appears on several lines here, you would enter it all on one line at the command line.) If your domain's account lockout policy is set to 3 and you run the command 3 times with a bogus password, Betty's user account will be locked on the third invocation of Net Use.

Another option you might want to research is the user's Account Disabled setting. You can disable and enable AD user accounts by using simple Active Directory Service Interfaces (ADSI) scripts like those that Listing 1, page 12, and Listing 2, page 12, show. Listing 1 disables our fictitious Betty user account, and Listing 2 enables the account. Both scripts use the ADSI IADsUser interface's AccountDisabled property.

Disabling an AD user account is a simple three-step process:

  1. Connect (i.e., bind) to the target user account.

  2. Set the user's AccountDisabled property to True.

  3. Call the SetInfo method to write the change to AD.

You follow the same steps to enable the account, but you set AccountDisabled to False. Before you use Listing 1 or Listing 2 in your AD domain, you need to change the value assigned to the strUserDN variable to the target user's distinguished name (DN) in your domain.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like