Resolution: Won't Do
PUP-6569; the fix covered the basics of disabled, expired and locked accounts. More work in this area is warranted as time permits, and is detailed below.
PUP-6483, we found that we could be more specific with our error handling when performing some user password management tasks on Windows.
A few error codes we could explore handling some of the errors and providing better messages around how to correct. Possibly as a separate ticket though.
* ERROR_LAST_ADMIN - 1322 (0x52A) - This operation is disallowed as it could result in an administration account being disabled, deleted or unable to log on. * ERROR_WRONG_PASSWORD - 1323 (0x52B) - Unable to update the password. The value provided as the current password is incorrect. * ERROR_ILL_FORMED_PASSWORD - 1324 (0x52C) - Unable to update the password. The value provided for the new password contains values that are not allowed in passwords. * ERROR_PASSWORD_RESTRICTION - 1325 (0x52D) - Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain. * ERROR_LOGON_FAILURE - 1326 (0x52E) - The user name or password is incorrect. * ERROR_ACCOUNT_RESTRICTION - 1327 (0x52F) - Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced. * ERROR_INVALID_LOGON_HOURS - 1328 (0x530) - Your account has time restrictions that keep you from signing in right now. * ERROR_INVALID_WORKSTATION - 1329 (0x531) - This user isn't allowed to sign in to this computer. * ERROR_PASSWORD_EXPIRED - 1330 (0x532) - The password for this account has expired. * ERROR_ACCOUNT_DISABLED - 1331 (0x533) - This user can't sign in because this account is currently disabled.
- Modify the Puppet Windows user provider or backing libs in puppet/util/windows to detect and surface some or all of the preceding errors to the user when applicable
From - https://github.com/puppetlabs/puppet/pull/5201#discussion_r75033133
ERROR_ACCOUNT_LOCKED_OUT = 1909 - is raised if account is locked out even when supplied login credentials are valid