How to lock out a user in ActiveDirectory with C#

Posted on 2009-02-21
Last Modified: 2013-12-24
I can find plenty of code on the internet on how to check whether an account is locked out or not, and how to unlock an account, but no code on how to lock an active directory account with C# code.
Some say it is prohibited for security reasons, some say its possible.

My code for unlocking is easy.
Can it be done, and if yes, how?


DirectoryEntry deResult = result.GetDirectoryEntry();

deResult.Properties["LockOutTime"].Value = 0;


Open in new window

Question by:uhm179
    LVL 26

    Expert Comment

    by:Anurag Thakur
    is this link of any help as it shows a lot of operations which can be done on active directory

    Author Comment

    I've stumbled across this page very early in my search for useful Active Directory code and theres this section about account locking and unlocking. Copy paste:

    public bool IsLocked
        get { return Convert.ToBoolean(dEntry.InvokeGet("IsAccountLocked")); }
        set { dEntry.InvokeSet("IsAccountLocked", value); }

    I've always assumed that value had to be set to a number (long), since thats the datatype that AD uses for the lockouttime attribute (in which case the page isn't really helpful), but I just realized that its a bool.

    I'll have to try it out, and report back here.
    LVL 70

    Accepted Solution


    If you're using IsAccountLocked you might want to be aware of this:

    And therefore this:

    Which, unfortunately, includes the following snippet:

    > Attempting to set the IsAccountLocked property to TRUE will fail. Only the system can lock an account.

    Depending on why you need to do this, it would seem more appropriate to disable the account and possibly reset the password.


    Author Closing Comment

    So I guess its not possible. I'm making a webinterface for Active Directory, so we don't need to use the admin program, and locked out status is something that would have been nice to manipulate. I'll just have to settle with only being able to unlock an account. Maybe resetting the password to a random string will get the job done (bit of an ugly hack though). Thx.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    Suggested Solutions

    Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
    Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
    Video by: Steve
    Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now