000013393 - AXM - How to reset Active Directory account with API when Users account is Locked Out

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013393
Applies ToRSA Access Manager 6.x
Microsoft Active Directory
Microsoft account  policies in use ; No ctscUserAuxClass
IssueAXM -  How to reset Active Directory account with API when Users account is Locked Out
Users account is locked out in Active Directory.  Would like to use Access Manager API to reset
Most information on an AD user was kept in the userAccountControl Attribute. In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed. Since msDS-User-Account-Control-Computed is a constructed attribute, it cannot be used in an LDAP search filter or written to.
Resolution

Currently since the AxM API cannot access the lockout state it writes to the userAccountControl Attribute and disables the account instead.  It was found that if we disable then re-enabled the user account that the lock out is cleared. Use the setAdminLockedout method to disable and re-enable the user to clear the lockout.  Example of use of this method below.

 IUser userToInspect = apiClient.loadUser(user);
     try{
        userToInspect.setAdminLockedout(true);
        userToInspect.save();
         }
     catch (Exception e)     
      {
      e.printStackTrace();
      }    

 

Legacy Article IDa52524

Attachments

    Outcomes