gnome-screensaver should allow screen unlock even if account is locked out

@Alex: could you provide a rationale for *why* it should ?

Sure: so that a PC doesn't become totally unusable just because someone entered the wrong password a few times somewhere else.

Well, it's not "totally unusable" since you can still switch to another user. And there should be other users available if you're under a domain setup. The whole "account locking" AD feature is buggy, since every large AD domain user knows they can easily lock out someone else's account.

I guess in the end it all depends on how "being locked out" translates, since I can imagine a bug asking for the complete contrary of what you're asking.

In that discussion, it might be worth considering that Microsoft does not apply lockout policy to the "screen unlock" dialog: http://support.microsoft.com/kb/188700

Maybe gnome-screensaver's unlock screen dialog could be taught to recognize a specific "locked" error code, but I'm far from convinced we should do that.

It's totally unusable to me, since I only have one AD account so switching to another user isn't really viable.

Obviously there's the workaround of going to a console session as root and killing gnome-screensaver, but that's just silly in my opinion.

Interesting that the microsoft support link doesn't give a rationale either way for this policy. It would probably be good to have it as a configurable option though, rather than forcing it to work one way or the other.

Wouldn't a locked account result in a successful pam auth, but unsuccessful pam account result, rather than checking for a specific error code?

It would be handy if it would at least tell a user that their account was locked out. As is, I had a user change their password and forget change their cached password in Evolution (or on their smartphone) and they were locked out of their desktop whenever the screen saver kicked in. They could still get in via rebooting, they just couldn't unlock once it was locked.