When a user, uses a wrong password 3 times it gets his %ENABLED_STATES% to 2 and so, its eTiMEnabledState on GlobalUser is updated as well, but then Active Directory correlated account is Disabled (not locked out). So if you log out of windows the user will never be able to unlock the password again.

If we disable "status propagation", the problem is solved.

But if we disable "status propagation" when the user is really disabled (%ENABLED_STATES%  = 1).

Is it possible for the status to be propagated to Active Directory?

Release : 14.3

Component : Identity Manager

Working as designed.

• Disable status propagation on the AD endpoint.

• Create a PX policy on the ModifyUser event that:

  • Reads the %ENABLED_STATES% attribute.

  • If the attribute was modified and (value AND 2) ≠ 0, then disable the AD account.

  • If the attribute was modified and (value AND 1) = 0, then enable the AD account.