Re: All AD User Accounts Locked

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Rob (rjohn_at_sw.rr.com)
Date: 12/03/04 

Date: Thu, 2 Dec 2004 22:37:55 -0600

I just suffered the same exact scenario, twice, from our HQ in another
country. The way to identify the problem quickly, is 1) review security
logs on domain controllers (security logs will indicate the workstation name
that is locking the account our. You will see many entries for your
accounts, but likely on one workstation. 2) As in our case, DNS/WINS/DHCP
did not have a listing for the workstation name. The accounts could only be
locked out via our Domain controllers, so I ran the netstat command on each
Domain Controller to see which one had a session with the suspected
workstation. 3) Once I identified which domain controller was locking the
accounts out, I ran NBTSTAT -c to review the remote name cache. There I
found the name & ip address pair. 4) Now that I had a IP address, I routed
all traffic from the offending host to NULL0 on our router or switch.

Rob

"Patrick Ruane" <Patrick Ruane@discussions.microsoft.com> wrote in message
news:336F9C48-EEA3-429B-AE10-78976351D5F0@microsoft.com...
> Hi Guys
>
> I have a problem with all my domain user accounts locking out at the same
> time. It happens fairly randomly and we cannot identify any particular
> event
> that causes this. We have a 2000 domain in mixed mode with 95/98/2000/xp
> clients. Has anyone come across this before, or knows of a reason why
> this
> is happening?
>
> Also, does anyone have a script for unlocking all user accounts?
>
> Thanks in advance for any help.

Relevant Pages

  • Security Log Save script
    ... I have looked through the entire board trying to find a script thta would help me out, but everything I've come across has always included clearing the event logs. ... I'm looking for a script that would allow me to run it from my workstation that would save the entire Security logfor 4 Domain Controllers into separate EVT files on my workstation. ...
    (microsoft.public.windows.server.scripting)
  • Re: Account lockouts
    ... First off you can't disable lockout policy for specific accounts, it is a domain wide setting. ... Second, enable auditing on your domain controllers and member servers, specifically the logon failures auditing ...
    (microsoft.public.win2000.security)
  • Re: enabling certain services for only certain accounts
    ... are actions reserved to administrator accounts. ... It might be more simple to set their version of BlackIce ... > workstation with a Win98 workstation connected by a 10mb hub and a WAP. ... If that enables connection, I'd like to figure out how to ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Account Lockout Policies
    ... Deleting user accounts after 30 days of inactivity allows a windows of opportunity of 30 days for an ex-user to re-use the network. ... If a technical solution is unavoidable due to a lack of management buy-in, there are a few ways that it can be achieved. ... Ascertain from those logs when users last logged in and add 30 days. ... From the users logon script, touch a unique file in a common area. ...
    (microsoft.public.security)
  • Re: Disappearing Workstations
    ... Do you mean that the workstation record no longer exists in AD at all? ... machine accounts are disabled in AD or not working for logon? ... Run nltest and netdom to verify and fix any trust problems with the computer accounts ...
    (microsoft.public.windows.server.general)