3.1.5.14.5 Account Lockout Enforcement and Reset

1. Let U be the user account that is the subject of a change password request.

2. If U's lockoutTime attribute value plus the attribute value of Effective-LockoutDuration (see section 3.1.1.5) is less than the current time, the server MUST abort the request and return STATUS_ACCOUNT_LOCKED_OUT.

3. Otherwise, U's lockoutTime MUST be updated to the value 0.