What does "Unlocking" an AD account that is not locked do?

windows active-directory

You can usually tell when an AD account is locked, as it will tell you alongside the check-box to "Unlock" said account.

Although, I wanted to know if there is any reason I would check this box off when the account is not locked? If so, what does "Unlocking" this account do?


Solution 1:

On down-level DCs (2000 and 2003) the "Unlock account" checkbox used to be disabled if the account was not locked out, since if the account is not locked out there would be no reason to select that checkbox.

But in Longhorn, RODCs were introduced so now the "Unlock account" checkbox is always enabled now regardless of whether the account is actually locked or not. (Unless the user who is viewing the dialog box doesn't have permissions to write to the lockoutTime attribute of the account. Then the checkbox would be disabled.)

[More Info]

Resetting lockoutTime to 0 unlocks an account. It's really just writing to an attribute on the user account is all that the checkbox does.

Setting lockoutTime to 0 in turn triggers urgent replication and resets badPwdCount to 0 as well.

If the user's lockoutTime is already 0, then setting it to 0 will reset badPwdCount to 0 and if badPwdCount was already 0 then it has no effect.

Related

Using GIT variables in a declarative Jenkins pipeline
Ansible conditionals - Wildcard match string
Accidentally deleted python and yum is not working in centos7 [closed]
Why is "DbccFilesCompact" status is "Suspended"?
Git : seemed to be in "(no branch)" and then lost my changes
Slash Notation IP - What is what?
How do you choose your IP addressing?
Why does ethernet have a minimum frame size specified?
ZFS alternative for Linux?
Configure Zeroconf to broadcast multiple names
Search AD by GUID
What legendary shiny pokemon are legitimately obtainable as of Sword/Shield?