Account lockout is a little complex in AD with LDAP due to the fact that
lockoutTime is not automatically reset as soon as the lockout expires.
However, to get a first approximation of lockout, you can simply check the
lockoutTime attribute to see if it is populated and contains a value > 0.
Most of the time, this will tell you lockout status although it can yield a
If you absolutely need it to be right, you need to compare the lockoutTime
value as DateTime with the current time on the DC + the domain lockout
duration (from the domain root).
To read the lockoutTime attribute, the easiest way is to use the
DirectorySearcher, adding "lockoutTime" to PropertiesToLoad. Then, cast the
result back to Int64. If you use the DirectoryEntry, you must unwind the
IADsLargeInteger value which is more work.
HTH for now. I'll try to follow up with a sample later when I have time.
Ryan has a sample showing some of the code you need here: