Article Number
000013393
Applies To
RSA Access Manager 6.x
Microsoft Active Directory
Microsoft account policies in use ; No ctscUserAuxClass
Issue
AXM - How to reset Active Directory account with API when Users account is Locked Out
Users account is locked out in Active Directory. Would like to use Access Manager API to reset
Most information on an AD user was kept in the userAccountControl Attribute. In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed. Since msDS-User-Account-Control-Computed is a constructed attribute, it cannot be used in an LDAP search filter or written to.
Resolution
Currently since the AxM API cannot access the lockout state it writes to the userAccountControl Attribute and disables the account instead. It was found that if we disable then re-enabled the user account that the lock out is cleared. Use the setAdminLockedout method to disable and re-enable the user to clear the lockout. Example of use of this method below.
IUser userToInspect = apiClient.loadUser(user);
try{
userToInspect.setAdminLockedout(true);
userToInspect.save();
}
catch (Exception e)
{
e.printStackTrace();
}
