Hi Rodney
Lockoutstatus.exe is part of the 2003 resource kit (and I would assume the
2000 resource kit as well) although it can be downloaded separately from
Microsoft. I did a search on google for lockoutstatus.exe to get it.
We saw pretty much the same thing about 3 months ago and it turned out to
be a new flavor of a popular internet worm that Symantec was unable to
detect. There have since been several other variations. In our case we
audit for logon failures, lockoutstatus gave us the DC to check, the audit
log showed several failures for a handful of accounts at a set time all
coming from one ip address and that ip had wintaskx and payload both
running - the viral infections.
Good luck tracking down the culprit. If you do get it and you need a bulk
unlock script:
' Open the file system object - allows connections into the file system
Set fso = CreateObject("Scripting.FileSystemObject")
set fso2 = CreateObject("Scripting.FileSystemObject")
' Opens a file for reading
lock = 0
set myreadfyle = fso.opentextfile("c:\ntuserlist.txt")
' Sets up a loop. This will read every line in the text file and perform
operations until the last line of the text file
set myfile2 = fso2.opentextfile("c:\lockedaccounts.txt",2)
While Not myreadfyle.AtEndOfStream
' Read the line, splitting it at the commas for reading. The split command
looks for the value in brackets (,) and
' splits the line there. It will become an array now. the value
dnarray(0) will be column one from the csv.
' dnarray(1) is then column two.
strusername = myreadfyle.readline
strdomain = "hq"
' dnarray = split(fyleline,",",-1,1)
' This line echos the values to a message box on the screen. Again, values
in the "s are absolute, values
' outside the "s are variables, and the & is used to append the different
value sets together into one line.
' wscript.echo "The first value is " & dnarray(0) & " The second
value is " & dnarray(1)
' ends the while statement - while end. In VBS while end will fail, in
dotnet it works.
set objuser=getobject("WinNT://"& strdomain & "/" & strUsername)
if objuser.IsAccountLocked= True then
myfile2.writeline "" & strusername
objuser.isaccountlocked=false
objuser.setinfo
lock = lock + 1
' wscript.echo strusername & " unlocked"
else
' wscript.echo strusername & " not locked"
end if
WEND
wscript.echo lock & " accounts unlocked - see c:\lockedaccounts.txt for a
list of usernames"
myreadfyle.close
You will need to pre-create the ntuserlist.txt file with a full list of
your users, and a blank file called lockedaccounts.txt on the root of drive
C for logging the locked accounts.
Regards;
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]
Rodney Gardiner
<[EMAIL PROTECTED] To: [EMAIL PROTECTED]
m.au> cc: (bcc: James
Day/Contractor/NPS)
Sent by: Subject: RE: [ActiveDir] locked
out
[EMAIL PROTECTED]
tivedir.org
11/02/2004 09:16 AM
ZE11
Please respond to
ActiveDir
Just curious as to where this lockedoutstatus.exe is kept?
Rodney
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Randy White
Sent: Tuesday, 2 November 2004 7:31 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] locked out
This is probably caused by a virus. Use lockedoutstatus.exe to find out
what where the lock outs are originating. Then check the event log of that
DC to find out the perpetrating computer.
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, November 01, 2004 2:29 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] locked out
All gurus,
Wonder if any of you have experienced this before.
Suddently over the weekend, all domain accounts ( i mean all ) are locked
out except the domain admin accounts. What could have caused this problem
? The only clue that I had is this is the week to change the summer
time back but we had this done every year, had never had this issue
before. Could this be a worm of some sort of virus. Looking into our
security log it did not show me nything out of norm ( faild security ,
locked out has been turned on)
Any suggestions will be appreciated.
Regards,
Sandy
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
