Log in

No account? Create an account
31 December 2009 @ 05:07 pm
Reason #917 for hating Microsoft...  
Okay, at work today, I discover that the Active Directory LDAP attribute for whether an account is locked out or not is called lockoutTime. Fair enough, that seems plenty reasonable. So, what does that time represent?

The date and time (UTC) that this account was locked out. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the account is not currently locked out.

100 nanosecond intervals since January 1st, 1601?! WHO THE %(*@%!* CARES ABOUT AN ACCOUNT'S LOCKOUT TIME TO THE .0001 MILLISECONDS?!

But you can't even really use the attribute for a simple locked/not locked check, for this shall thwart you:

This attribute value is only reset when the account is logged onto successfully. This means that this value may be non zero, yet the account is not locked out. To accurately determine if the account is locked out, you must add the lockoutDuration to this time and compare the result to the current time, accounting for local time zones and daylight savings time.

Dooming it to being one of the most complicated account lockout systems ever, and almost certainly guaranteeing that it'll get screwed up by anyone not using windows APIs. Whatever happened to using the generalized time syntax that most every other LDAP implementation uses (YYYYMMDDHHMMSS[.|,fraction][(+|-HHMM)|Z])?

Man do I hate the Windows epoch, even if it does make some math a whole operand quicker. Yeesh.
terry31415terry31415 on January 1st, 2010 01:23 am (UTC)
I love it when you do geeky rants!

Happily, I don't have to deal with that MS problem.
rodgort on January 4th, 2010 05:39 pm (UTC)
My brain just broke. Thanks.