Re: All AD User Accounts Locked

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Patrick Ruane (PatrickRuane_at_discussions.microsoft.com)
Date: 12/03/04 

Date: Fri, 3 Dec 2004 05:09:01 -0800

Thanks Rob. We identified the problem as being caused by the Gaobot virus
(updates didn't pick it up unfortunately). I've written a couple of scripts,
one to unlock all domain accounts if it happens again (not the most secure
thing in the world, but only temporary) and another one that runs at system
startup that deletes the virus, registry keys and modifies the hosts file,
oh, and emails me what it has done :) (as you can tell, i'm proud of that
one). If anyone wants any sample scripts, let me know.

"Rob" wrote:

> I just suffered the same exact scenario, twice, from our HQ in another
> country. The way to identify the problem quickly, is 1) review security
> logs on domain controllers (security logs will indicate the workstation name
> that is locking the account our. You will see many entries for your
> accounts, but likely on one workstation. 2) As in our case, DNS/WINS/DHCP
> did not have a listing for the workstation name. The accounts could only be
> locked out via our Domain controllers, so I ran the netstat command on each
> Domain Controller to see which one had a session with the suspected
> workstation. 3) Once I identified which domain controller was locking the
> accounts out, I ran NBTSTAT -c to review the remote name cache. There I
> found the name & ip address pair. 4) Now that I had a IP address, I routed
> all traffic from the offending host to NULL0 on our router or switch.
>
> Rob
>
>
> "Patrick Ruane" <Patrick Ruane@discussions.microsoft.com> wrote in message
> news:336F9C48-EEA3-429B-AE10-78976351D5F0@microsoft.com...
> > Hi Guys
> >
> > I have a problem with all my domain user accounts locking out at the same
> > time. It happens fairly randomly and we cannot identify any particular
> > event
> > that causes this. We have a 2000 domain in mixed mode with 95/98/2000/xp
> > clients. Has anyone come across this before, or knows of a reason why
> > this
> > is happening?
> >
> > Also, does anyone have a script for unlocking all user accounts?
> >
> > Thanks in advance for any help.
>
>
>

Relevant Pages

  • Re: Account lockouts
    ... First off you can't disable lockout policy for specific accounts, it is a domain wide setting. ... Second, enable auditing on your domain controllers and member servers, specifically the logon failures auditing ...
    (microsoft.public.win2000.security)
  • Re: changing pswds of standard accounts
    ... And if you have fix the scripts. ... Puget Sound Oracle Users Groupwww.psoug.org ... Have already locked accounts that the "home office" says are not ...
    (comp.databases.oracle.server)
  • Re: Group rename problem
    ... Yes, scripts are replicated okay. ... my test account. ... A few days ago I had to rename a few security groups in our AD. ... After the rename I made tests with my test accounts and all seemed to ...
    (microsoft.public.windows.server.general)
  • Re: weird user appears in the local security settings
    ... If you really meant to type a = before the last RID instead of a - then ... and even if the domain controllers can be contacted ... accounts or groups and so could be safely removed. ... Microsoft MVP (Windows Security) ...
    (microsoft.public.windows.group_policy)
  • Solaris reclaiming space
    ... Solaris10 or Solaris 9? ... Three configuration scripts are left behind. ... Remove any unnecessary accounts from the system. ... The login shell should also be changed on these accounts. ...
    (comp.unix.solaris)