diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index 78ac231e64bad3e50c36b97d5ee6326b919eaa49..ad33ff5fc5bb7421f0aba97266e0e7c474d7b5cb 100644
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -989,7 +989,12 @@ locked:
 
 	if ( ppb->send_ctrl ) {
 		LDAPControl **ctrls = NULL;
+		pp_info *pi = on->on_bi.bi_private;
 
+		/* Do we really want to tell that the account is locked? */
+		if ( ppb->pErr == PP_accountLocked && !pi->use_lockout ) {
+			ppb->pErr = PP_noError;
+		}
 		ctrls = ch_calloc( sizeof( LDAPControl *) , 2 );
 		ctrls[0] = create_passcontrol( warn, ngut, ppb->pErr );
 		ctrls[1] = NULL;
@@ -1048,9 +1053,8 @@ ppolicy_bind( Operation *op, SlapReply *rs )
 		be_entry_release_r( op, e );
 
 		if ( rc ) {
-			pp_info *pi = on->on_bi.bi_private;
 			/* This will be the Draft 8 response, Unwilling is bogus */
-			if ( pi->use_lockout ) ppb->pErr = PP_accountLocked;
+			ppb->pErr = PP_accountLocked;
 			send_ldap_error( op, rs, LDAP_INVALID_CREDENTIALS, NULL );
 			return rs->sr_err;
 		}