Account Lockout in AD (Server 2008)

[wlfpackr]

I have a question about the account lockout attribute in AD. We have a current process in place that disables users when they take a leave of absense. I'm being asked to change the process to "lockout" the user versus "disabling" the user b/c it's causing some other areas some headaches. So far, I don't see a way to do it outside of sitting down and learning some C# and I'm not really sure if that code was legit.

Outside of sending incorrect password attempts, is there a way to programmatically force a lockout on a user account? I tried setting UAC to 528, but that didn't work. Perhaps the easier question to answer is if we can force the lockout, is the account just going to be automatically unlocked based on the 30min Account Lockout Duration that's set by our group policy?

=================
There are 10 kinds of people in this world, those that understand binary and those that do not.

 

[baddos]

If the account is locked out, the lockout duration timer will unlock them. You really do want to disable the accounts if that is what you are trying to do. What are the specific problems that other areas have with the account being disabled?

 

[wlfpackr]

The claim is when the account is disabled in AD, their systems drop access. Then when the person comes back, they have to rebuild access from scratch. I'm bound by HR policy though (and I control AD ) so they may just be out of luck.

=================
There are 10 kinds of people in this world, those that understand binary and those that do not.

 

[baddos]

The whole point of disabling or locking out the account is for their account not to have access. If there is account sharing or something else going on, it should be addressed by other means.