Account Lockout Enforcement and Reset

  1. Let U be the user account that is the subject of a change password request.

  2. If U's lockoutTime attribute value plus the attribute value of Effective-LockoutDuration (see section is less than the current time, the server MUST abort the request and return STATUS_ACCOUNT_LOCKED_OUT.

  3. Otherwise, U's lockoutTime MUST be updated to the value 0.