diff --git a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py
index 0622a89d4d..603234a6ca 100644
--- a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py
+++ b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py
@@ -45,6 +45,7 @@ from samba.dcerpc import drsblobs
 import heimdal
 from ldap.controls import LDAPControl
 import traceback
+from univention.admin.handlers.users.user import unmapWindowsFiletime
 
 class Krb5Context(object):
 	def __init__(self):
@@ -855,9 +856,10 @@ def lockout_sync_s4_to_ucs(s4connector, key, ucs_object):
 		return
 
 	modlist = []
+	extra_modlist = []
 
 	try:
-		ucs_object_attributes = s4connector.lo.get(ucs_object['dn'], ['sambaAcctFlags', 'sambaBadPasswordTime'], required=True)
+		ucs_object_attributes = s4connector.lo.get(ucs_object['dn'], ['sambaAcctFlags', 'sambaBadPasswordTime', 'pwdAccountLockedTime'], required=True)
 	except ldap.NO_SUCH_OBJECT:
 		ud.debug(ud.LDAP, ud.WARN, "%s: The UCS object (%s) was not found. The object was removed." % (function_name, ucs_object['dn']))
 		return
@@ -878,6 +880,10 @@ def lockout_sync_s4_to_ucs(s4connector, key, ucs_object):
 			if sambaBadPasswordTime:
 				ud.debug(ud.LDAP, ud.INFO, "%s: Old sambaBadPasswordTime: %s" % (function_name, sambaBadPasswordTime))
 			modlist.append(('sambaBadPasswordTime', sambaBadPasswordTime, badPasswordTime))
+
+		pwdAccountLockedTime = ucs_object['attributes'].get('pwdAccountLockedTime', ["0"])[0]
+		lockedTime = unmapWindowsFiletime([badPasswordTime])
+		extra_modlist.append(('pwdAccountLockedTime', pwdAccountLockedTime, lockedTime))
 	else:
 		if "L" in sambaAcctFlags:
 			acctFlags = univention.admin.samba.acctFlags(sambaAcctFlags)
@@ -893,6 +899,12 @@ def lockout_sync_s4_to_ucs(s4connector, key, ucs_object):
 		ud.debug(ud.LDAP, ud.ALL, "%s: modlist: %s" % (function_name, modlist))
 		s4connector.lo.lo.modify(ucs_object['dn'], modlist)
 
+	if extra_modlist:
+		try:
+			s4connector.lo.lo.modify(ucs_object['dn'], extra_modlist)
+			ud.debug(ud.LDAP, ud.ALL, "%s: modlist: %s" % (function_name, extra_modlist))
+		except ldap.UNDEFINED_TYPE: # no ppolicy enabled
+			pass
 
 def lockout_sync_ucs_to_s4(s4connector, key, object):
 	"""