"If account is locked out" - not working correctly

Question

Hello!

I am creating a scheduled task, which in pseudocode does the following:

1st action:

If account is locked AND
if extensionattribute6 is empty
 send email to the locked account
 set extensionattribute6 to %datetime,+20m%

2nd action:

If account is locked AND
My custom PS script checks that the datetime from extensionattribute6 has passed
Clear the info in extensionattribute6

This works pretty good. I set this script to run every 2 minutes, and with the extensionattribute set after the first mail has been sent, it stops the script from spamming a locked out user with mail every 2 minutes until the account gets unlocked.

HOWEVER:
"If account is locked" seems to not check both our domain controllers - only one of them?
I purposely lock my account, then browse to my user in the OU list in adaxes, refresh it, and see that the "Bad Password Time" attribute is not up to date. If I check with Powershell straight to one of my DC's, the value is correct.

How do I work around this?

Thanks!

Answer 1

Hello,

The Bad-Password-Time attribute is indeed not replicated in AD, however Adaxes doesn't use it to determine whether an account is locked out. The UF_LOCKOUT flag in the ms-DS-User-Account-Control-Computed attribute is used instead. If an account is locked out, the UF_LOCKOUT flag is set in the ms-DS-User-Account-Control-Computed attribute, and this is immediately replicated among Domain Controllers.

Comments

Thanks for your reply.

I still am experiencing some problems, but I have narrowed it down to my custom powershell script. However, I am finding it hard to debug what is going on in the Powershell script. $context.logmessage("blah","Information") does nothing (because the workflow fails at some point, so there is no execution log), and I will post my script to get some experienced eyes on it. :)

The actual workflow:
#This script runs every 2 minutes, so I need some anti-spam logic so the user doesn't end up with 10-15 emails while his account is locked
IF Account is Locked Out AND
script "Anti Spam" returns true, then
Send Email-notification (Your account has been locked)
Set ExtensionAttribute6 to %datetime,10m%

#Anti Spam script
Import-Module Adaxes
$user = Get-AdmUser -identity %username% -Properties ExtensionAttribute6
$now = Get-Date
$mailtime = [datetime]::ParseExact($($user.extensionattribute6),"dd.MM.yyyy H:mm:ss", $null)

#If the user doesn't have the ext-att set, it's probably the first time the account has been locked
If (!($user.extensionattribute6))
    {
        $context.ConditionIsMet = $true
        #The workflow should carry on and send notification email and set the ext-att to %datetime,+10m%
    }

else
    {
        #ExtensionAttribute does exist - let's check if the value is older than Get-Date
        if ($now -gt $mailtime)
        {
            $Context.ConditionIsMet = $True
            #It's older than Get-Date, so the workflow should send a new email and set the ext-att to an update value
        }

        else
        {
            $Context.ConditionIsMet = $false 
            #Get-Date is LESS THAN the value of extensionattribute6, so the user should NOT be sent yet another mail - he has already been notified.
        } 
    }

Now for some reason, this does not work, or seems to work randomly. How do I see what is going on in the PS engine when the script is triggered? Some debug mode would help me out a lot :)

And if anyone else is interested, I have another scheduled task as well that does some cleanup of the ExtensionAttribute6 for all users. In short, if the value is in the past, just remove it.

If Ext-Att6 property is not empty AND
Script "Ext-Att6 value is in the past" returns true then
Modify the user: Clear Ext-Att6

#"Ext-Att6 value is in the past" script
Import-Module Adaxes
$user = Get-AdmUser %username% -Properties ExtensionAttribute6
$now = Get-Date
$mailtime = [datetime]::ParseExact($($user.extensionattribute6),"dd.MM.yyyy H:mm:ss", $null)

        #ExtAtt6 value is in the past, carry on with the workflow
        if ($now -gt $mailtime)
        {
            $Context.ConditionIsMet = $True
        }

        #ExtAtt6 value is in the future, do nothing
        else
        {
            $Context.ConditionIsMet = $false   
        } 

Any help would be appreciated :)

---

Hello,

Actually, you can do this with a single Scheduled Task instead of 2. Also, we recommend using Adaxes virtual attributes because, unlike Exchange Custom Attributes, they can store date/time values, which will make the script faster to complete and much simpler. Adaxes virtual attributes are not stored in AD, but can be used the same as any other attributes of AD objects. Date/time values are stored in the following attributes: CustomAttributeDate1 ... CustomAttributeDate5.

Thus, the Scheduled Task will look something like this:

The 'Anti Spam' script used in the Scheduled Task is as follows:

$Context.ConditionIsMet = $True

try
{
    $mailTime = $Context.TargetObject.Get("adm-CustomAttributeDate1")
}
catch
{
    return
}

# Check if the $mailTime is older than the current time
if ($mailTime -lt [System.DateTime]::Now)
{
    # Clear the custom attribute
    $Context.TargetObject.Put("adm-CustomAttributeDate1", $NULL)
    $Context.TargetObject.SetInfo()

    # Exit from script
    return
}

$Context.ConditionIsMet = $False