Like many larger enterprises, our company has both eDirectory and Active Directory. Employee accounts exist in both with the same CN.
When Intruder lockout occurs for a variety of reasons, it might happen just within their eDir account, just their AD account, or both.
Our SSPR just happens to be integrated with eDir LDAP. When going through SSPR's Forgotten Password module, a user is only prompted to clear intruder lockout if eDir itself has an intruder lockout set -- otherwise, if only their AD account is locked, SSPR only offers to reset the users password.
Would be a huge improvement if SSPR allowed defining "secondary LDAP" sources with the sole purpose of simultaneously checking for and clearing Intruder Lockout across any of them, if they likewise contain a CN match.