James, Thanks for that. I do not have this problem though - I was taking onto the end of a previous post to find out where to get the tool that was spoken of.
Thanks for the script too. Also note that on www.joeware.net web site there is a tool been created to help with bulk unlock etc. Rodney -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, 2 November 2004 11:39 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] locked out Hi Rodney Lockoutstatus.exe is part of the 2003 resource kit (and I would assume the 2000 resource kit as well) although it can be downloaded separately from Microsoft. I did a search on google for lockoutstatus.exe to get it. We saw pretty much the same thing about 3 months ago and it turned out to be a new flavor of a popular internet worm that Symantec was unable to detect. There have since been several other variations. In our case we audit for logon failures, lockoutstatus gave us the DC to check, the audit log showed several failures for a handful of accounts at a set time all coming from one ip address and that ip had wintaskx and payload both running - the viral infections. Good luck tracking down the culprit. If you do get it and you need a bulk unlock script: ' Open the file system object - allows connections into the file system Set fso = CreateObject("Scripting.FileSystemObject") set fso2 = CreateObject("Scripting.FileSystemObject") ' Opens a file for reading lock = 0 set myreadfyle = fso.opentextfile("c:\ntuserlist.txt") ' Sets up a loop. This will read every line in the text file and perform operations until the last line of the text file set myfile2 = fso2.opentextfile("c:\lockedaccounts.txt",2) While Not myreadfyle.AtEndOfStream ' Read the line, splitting it at the commas for reading. The split command looks for the value in brackets (,) and ' splits the line there. It will become an array now. the value dnarray(0) will be column one from the csv. ' dnarray(1) is then column two. strusername = myreadfyle.readline strdomain = "hq" ' dnarray = split(fyleline,",",-1,1) ' This line echos the values to a message box on the screen. Again, values in the "s are absolute, values ' outside the "s are variables, and the & is used to append the different value sets together into one line. ' wscript.echo "The first value is " & dnarray(0) & " The second value is " & dnarray(1) ' ends the while statement - while end. In VBS while end will fail, in dotnet it works. set objuser=getobject("WinNT://"& strdomain & "/" & strUsername) if objuser.IsAccountLocked= True then myfile2.writeline "" & strusername objuser.isaccountlocked=false objuser.setinfo lock = lock + 1 ' wscript.echo strusername & " unlocked" else ' wscript.echo strusername & " not locked" end if WEND wscript.echo lock & " accounts unlocked - see c:\lockedaccounts.txt for a list of usernames" myreadfyle.close You will need to pre-create the ntuserlist.txt file with a full list of your users, and a blank file called lockedaccounts.txt on the root of drive C for logging the locked accounts. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Rodney Gardiner <[EMAIL PROTECTED] To: [EMAIL PROTECTED] m.au> cc: (bcc: James Day/Contractor/NPS) Sent by: Subject: RE: [ActiveDir] locked out [EMAIL PROTECTED] tivedir.org 11/02/2004 09:16 AM ZE11 Please respond to ActiveDir Just curious as to where this lockedoutstatus.exe is kept? Rodney _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy White Sent: Tuesday, 2 November 2004 7:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] locked out This is probably caused by a virus. Use lockedoutstatus.exe to find out what where the lock outs are originating. Then check the event log of that DC to find out the perpetrating computer. _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, November 01, 2004 2:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] locked out All gurus, Wonder if any of you have experienced this before. Suddently over the weekend, all domain accounts ( i mean all ) are locked out except the domain admin accounts. What could have caused this problem ? The only clue that I had is this is the week to change the summer time back but we had this done every year, had never had this issue before. Could this be a worm of some sort of virus. Looking into our security log it did not show me nything out of norm ( faild security , locked out has been turned on) Any suggestions will be appreciated. Regards, Sandy List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
