There are different states for Active Directory user objects. For example, one distinguishes between activated, locked or deactivated accounts. Often the question arises, what is actually the difference between a locked and a deactivated AD user account.
In this article, we will go into the individual states of user accounts in Active Directory and also within the tenfold IAM solution.
The possible Statuses of Active Directory Users
In Active Directory, a user account can have one of three other states in addition to the default active state:
Disabled
This state is triggered manually or automatically and is permanent. If an AD user is disabled, he can no longer log in to the network with his credentials. Unlocking is not automatic and must also be performed manually again.
This state is very often used in the corporate environment for temporary timeouts of employees or as part of the exit process. In the second case, the account is deactivated and is usually only finally deleted by an automated process after a defined number of days.
A deactivated account can be set in Active Directory as follows: Account ⇒ Properties ⇒ Account tab ⇒ Account Options ⇒ Check the “Account is disabled” checkbox. In addition, you can directly right-click on the user object via the context menu to lock the account.
Download our Whitepaper!
In it, you will learn all the necessary steps to successfully implement an IAM system.
Locked
AD accounts can be transferred to this state only automatically. The trigger for this state is a multiple incorrect password entry. In this case, the account is actually set to “locked” in Active Directory.
When exactly and for how long a user account is locked depends on how the Default Domain Policy has been configured. In this Group Policy (GPO), the account lockout options are set in the account policy area.
In the Active Directory, you can’t really see that the user object is locked. However, this state is visible via PowerShell.
There you can see if the user is locked or not by the “LockedOut” attribute. For this purpose you can issue the following command:
Get-AdUser “username” -Properties LockedOut.
You can manually unlock an AD account by activating the “Unlock account” option in the “Active Directory Users and Computers” console for the user object via “Properties” ⇒ “Account” tab.
Expired
This state occurs when an expiration date has been set for an AD user account. This is done either via the attribute “accountExpires” or via the context menu of the object “Properties” ⇒ tab “Account” ⇒ Account expires ⇒ On:”.
At the end of the day set there, the account will automatically expire and will no longer be eligible to log in to the Windows domain.
All accounts behave similarly after a status change: you can not log in with them anywhere in the network.
There is one difference with the locked account. Here the object remains locked only for a certain duration and can be unlocked “automatically” after this time. This duration is configured in the Default Domain Policy. If the duration is set to 0, it will never be “automatically” unlocked.
Are you looking for professional advice?
Do you need support with the introduction of an IAM system? Feel free to contact us!
Difference between tenfold and Active Directory
With the identity and access management solution tenfold, you can, among other things, fully control your AD user accounts. This also includes temporary or permanent account blocking.
In tenfold, the terms blocking and deactivation are also used. However, the actions behind them are different.
In tenfold, locking an AD user account means deactivating it within the Active Directory.
Deactivating an AD account within tenfold, on the other hand, is only referred to in the context of a new application. In this case, the AD user is created in the Active Directory without a password and thus automatically locked by the domain controller. At the defined time, a password is set and thus the account lock is removed.
Summary
If you talk about locking a user in the context of the user management processes, the user is usually deactivated within the Active Directory.
This is usually the only option for taking an account out of service and then reactivating it. This makes sense in the context of a process to handle temporary absences of a user (e.g. illness, parental leave, vacation, etc.).
However, if you lock your account because you have entered your password incorrectly several times, there should also be a defined process for this, which cancels the lock and assigns a new password.
An AD account usually expires when an appropriate date has been maintained and reached on the AD account. In addition to ensuring the expiration of an AD account, an exit process should also cover other actions that address the departure of an employee.
