3.1.5.14.6 Account Lockout State Maintenance

  1. Let U be the user account that is the subject of a change password request.

  2. If the Effective-LockoutThreshold attribute value (see section 3.1.1.5) is greater than zero and U's lockoutTime attribute value is zero or nonexistent, all of the following constraints apply:

    1. If the time period between U's badPwdTime attribute value and the current time is greater than the attribute value of the Effective-LockoutObservationWindow (see section 3.1.1.5), the server MUST set U's badPwdCount attribute value to one. Otherwise, the server MUST increment U's badPwdCount attribute value by one.

    2. The server MUST update U's badPwdTime attribute value to the current time (with FILETIME syntax).

    3. If the Effective-LockoutThreshold attribute value (see section 3.1.1.5) is greater than zero, and BadPasswordCount is greater than or equal to lockoutThreshold, the server MUST update U's lockoutTime attribute to the current time (with FILETIME syntax).