diff --git a/base/univention-pam/faillog.py b/base/univention-pam/faillog.py
index ace30b0876..bd871bac47 100644
--- a/base/univention-pam/faillog.py
+++ b/base/univention-pam/faillog.py
@@ -33,7 +33,7 @@
 
 name = 'faillog'
 description = 'The listener module resets the faillog count'
-filter = 'objectClass=shadowAccount'
+filter = '(objectClass=shadowAccount)'
 attributes = []
 
 __package__ = ''  # workaround for PEP 366
@@ -55,6 +55,27 @@ def handler(dn, new, old):
 				listener.run('/sbin/pam_tally', ['pam_tally', '--user', new['uid'][0], '--reset'])
 			finally:
 				listener.unsetuid()
+		elif __login_is_locked(new) and not __login_is_locked(old):
+			if listener.configRegistry.is_true('auth/faillog'):
+				# set local bad password count high enouth for this system:
+				try:
+					limit = int(listener.configRegistry.get('auth/faillog/limit', '5'))
+				except TypeError:
+					limit = 5
+				listener.setuid(0)
+				try:
+					ud.debug(ud.LISTENER, ud.PROCESS, 'Trigger faillog for user %s' % new['uid'][0])
+					listener.run('/sbin/pam_tally', ['pam_tally', '--user', new['uid'][0], '--reset=%s' % (limit + 1,)])
+				finally:
+					listener.unsetuid()
+	elif old:
+		# clean up on delete: reset local bad password count
+		listener.setuid(0)
+		try:
+			ud.debug(ud.LISTENER, ud.PROCESS, 'Reset faillog for user %s' % new['uid'][0])
+			listener.run('/sbin/pam_tally', ['pam_tally', '--user', new['uid'][0], '--reset'])
+		finally:
+			listener.unsetuid()
 
 
 def initialize():