Re: [ActiveDir] All Accounts Locket Out -- Including Domain Admin
Hi, No - not exactly but something else misfired. U Know better. Thanks Ravi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] All Accounts Locket Out -- Including Domain Admin
Hi RaviHow r u manso u doing night shift nowadays...?Howz Avneet in helpdesk na...right? To avoid this type of probelm again in future...some guidelines are given below...may be helpful to you.. Once the account lockout occurs, there are several tasks that should be completed to help identify the cause of the issue: 1. Obtain both the Security and System event logs from all of the computers that are locked out if those computers were logged on when the lockout occurred. Also, obtain these log files from the PDC emulator operations master and all domain controllers that may be involved in the account lockout. 2. Look for Event675 (Preauthentication Failures) in the Security event log for the domain controllers for the locked-out user account. This event displays the IP address of the client computer from which the incorrect credentials were sent. When you view these events in the Security event log from the PDC, an IP address with Event675 may be the IP address of another domain controller because of password chaining from other domain controllers. If this is true, obtain the Security event log from that domain controller to see the Event675. The IP address that is listed in that Event675 should be the IP address for the client computer that sent the invalid credential. 3. After you know which client computer is sending the invalid credentials, determine the services, programs, and mapped network drives on that computer. If this information does not reveal the source of the account lockout, perform network traces from that client computer to isolate the exact source of the lockout. Protecting from External Account Lockout Denial of Service Attacks · Protecting authentication and NetBIOS ports from Internet attack : On either the firewall or the router that connects your internal network to the Internet, block access to TCP and UDP ports135 through139 and port445. If no edge filtering device is available, you can use IPSec filters to block these ports. To do this, use the configuration that is described in How to Block Specific Network Protocols and Ports by Using IPSec on the Microsoft Knowledge Base|http://support.microsoft.com/?id=813878. Protect your environment with firewalls: Prevent anonymous access : Set the RestrictAnonymous value to2. Some useful tools from Microsoft... Microsoft has added the following administrative enhancements to provide more account lockout information than the information that is available in the default configuration of the Windows Server2003 family: · AcctInfo.dll: The AcctInfo.dll file is a property page extension for user objects in the Active Directory Users and Computers MMC that provides detailed information about user password attributes. An administrator can use the AcctInfo.dll file to reset user account passwords on a domain controller that is in the user's Active Directory site. · LockoutStatus.exe: The LockoutStatus.exe tool displays bad password count and time information from all of the domain controllers that are in a domain. You can run this tool as either a stand-alone tool or as an extension to the AcctInfo.dll file when you place it in the Systemroot\System32 folder on your computer. EventCombMT.exe : to gather specific events from event logs from several different computers into one central location. You can configure EventCombMT.exe to search for events and computers. Some specific search categories are built into the tool, such as account lockouts. Note that the account lockouts category is preconfigured to include events 529, 644, 675, 676, and 681. And also go for analyze Netlogon log files... If you determine that the log files show that most or all of the user accounts are locked out in your domain, you must perform a trace to determine whether the source of the attack is internal or external to your network. In most account lockout situations, you must use Netlogon log files to determine which computers are sending bad credentials. When you analyze Netlogon log files, look for the 0xC06A event code, because this event will help you determine where the bad password attempts began to occur. When you see the 0xC06A event code and it is followed by a 0xC234 event code, the event codes that come after these event codes help you determine what caused the account lockout. If you see patterns in the log files, the patterns can help you determine if the event code was logged because of either a program attack or user error. Check for Logon Events these thingswould be helpful to u Bye,,, Nitin . Do analyze Netlogon log files...On 7/6/06, Leroy Clark [EMAIL PROTECTED] wrote: You might find this blog post useful http://blogs.technet.com/guarddog/archive/2006/06/05/432761.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] All Accounts Locket Out -- Including Domain Admin
Hi Ravi, If u remember we used to face this problem quite frequently while we were having operations in TS.( Almost once in 2 Months ) but touch wood this problem automatically got resolved when we demoted the ADC of TS. Also u can always login with ( P--) ID to DC as it can never get locked. By any chance have we (Your Organization) added any ADC at TS site again? ( Just curious as when i left there were talks of TS again coming up) and if that is so then i think i know what might be the issue. Also do checkfor the events reported by Nitin(Really Good Articles and Links)althoughas far as i remember ( it was long time back)you wont find much in event log. ( Maybesome changes made by u know who during Day) or maybe one ofthe scripts misfired. Also as this being your internal network and notconnected to Internet there is virtually no chance that this was an attack from outside. Check for internal attacks i.e. maybesome changes made by u know who during Day or maybe one ofthe scripts misfired. I know my mail is not much of help to you but still i thought ishould share my views with you on thisso that you don't waste your time on certain things which actually are not possible in your scenario. Regards, Jaspreet Singh Jolly On 7/6/06, Nitin Tandon [EMAIL PROTECTED] wrote: Hi RaviHow r u manso u doing night shift nowadays...?Howz Avneet in helpdesk na...right? To avoid this type of probelm again in future...some guidelines are given below...may be helpful to you.. Once the account lockout occurs, there are several tasks that should be completed to help identify the cause of the issue: 1. Obtain both the Security and System event logs from all of the computers that are locked out if those computers were logged on when the lockout occurred. Also, obtain these log files from the PDC emulator operations master and all domain controllers that may be involved in the account lockout. 2. Look for Event675 (Preauthentication Failures) in the Security event log for the domain controllers for the locked-out user account. This event displays the IP address of the client computer from which the incorrect credentials were sent. When you view these events in the Security event log from the PDC, an IP address with Event675 may be the IP address of another domain controller because of password chaining from other domain controllers. If this is true, obtain the Security event log from that domain controller to see the Event675. The IP address that is listed in that Event675 should be the IP address for the client computer that sent the invalid credential. 3. After you know which client computer is sending the invalid credentials, determine the services, programs, and mapped network drives on that computer. If this information does not reveal the source of the account lockout, perform network traces from that client computer to isolate the exact source of the lockout. Protecting from External Account Lockout Denial of Service Attacks · Protecting authentication and NetBIOS ports from Internet attack : On either the firewall or the router that connects your internal network to the Internet, block access to TCP and UDP ports135 through139 and port445. If no edge filtering device is available, you can use IPSec filters to block these ports. To do this, use the configuration that is described in How to Block Specific Network Protocols and Ports by Using IPSec on the Microsoft Knowledge Base|http://support.microsoft.com/?id=813878. Protect your environment with firewalls: Prevent anonymous access : Set the RestrictAnonymous value to2. Some useful tools from Microsoft... Microsoft has added the following administrative enhancements to provide more account lockout information than the information that is available in the default configuration of the Windows Server2003 family: · AcctInfo.dll: The AcctInfo.dll file is a property page extension for user objects in the Active Directory Users and Computers MMC that provides detailed information about user password attributes. An administrator can use the AcctInfo.dll file to reset user account passwords on a domain controller that is in the user's Active Directory site. · LockoutStatus.exe: The LockoutStatus.exe tool displays bad password count and time information from all of the domain controllers that are in a domain. You can run this tool as either a stand-alone tool or as an extension to the AcctInfo.dll file when you place it in the Systemroot\System32 folder on your computer. EventCombMT.exe : to gather specific events from event logs from several different computers into one central location. You can configure EventCombMT.exe to search for events and computers. Some specific search categories are built into the tool, such as account lockouts. Note that the account lockouts category is preconfigured to include events 529, 644, 675, 676, and 681. And also go for analyze Netlogon log files... If you determine that the log
Re: [ActiveDir] All Accounts Locket Out -- Including Domain Admin
Hi Nitin / Jolly, I have reviewed event logs then and there when problem arised. I found very vital information and problem was resolved before i left for the day this morning. Nice to hear from both of you. This is a precious mail for me now. Jolly, You are always very helpful and this time there are no scripts misfiring :-) you know i run scripts when you were in shift. LOL :-) Nitin keep writing me. Everyone here is doing gr8. Thanks List for the best support. Thanks and Regards Ravi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] All Accounts Locket Out -- Including Domain Admin
But it was a GP misfiring. Isnt it? Regards, Jaspreet Singh Jolly On 7/7/06, Ravi Dogra [EMAIL PROTECTED] wrote: Hi Nitin / Jolly,I have reviewed event logs then and there when problem arised. I foundvery vital information and problem was resolved before i left for the day this morning.Nice to hear from both of you. This is a precious mail for me now.Jolly, You are always very helpful and this time there are no scriptsmisfiring :-) you know i run scripts when you were in shift. LOL :-) Nitin keep writing me. Everyone here is doing gr8.Thanks List for the best support.Thanks and RegardsRaviList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx -- Regards,Jaspreet Singh Jolly
[ActiveDir] All Accounts Locket Out -- Including Domain Admin
Hi, I have a critical situation here. Suddenly all domain accounts locked out including domain admins account. What should i do? Is there any information which could be helpful. Thanks -- Ravi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] All Accounts Locket Out -- Including Domain Admin
The built-in administrator account should still be accessible (if you've renamed it, log on using the renamed friendly name) - you can log on using that to troubleshoot the issue. To quickly unlock your accounts, go download joe's unlock utility from www.joeware.net. On 7/5/06, Ravi Dogra [EMAIL PROTECTED] wrote: Hi, I have a critical situation here. Suddenly all domain accounts locked out including domain admins account. What should i do? Is there any information which could be helpful. Thanks -- Ravi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] All Accounts Locket Out -- Including Domain Admin
Define locked out... as there's a way to lock out a domain admin from logging on the console but not remotely over a RDP session if you get your group memberships horked up. Normally domain admin accoounts can't be locked as you don't want to DOS your own server... are you getting a massive log on attack where someone is dictionary attacking you? Ravi Dogra wrote: Hi, I have a critical situation here. Suddenly all domain accounts locked out including domain admins account. What should i do? Is there any information which could be helpful. Thanks -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] All Accounts Locket Out -- Including Domain Admin
Is there any domain controller logged in that you are able to access the Active Directory Users Computers MMC? If yes check the Accounts tab of a Domain Admin account. James Blair -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Thursday, 6 July 2006 10:33 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] All Accounts Locket Out -- Including Domain Admin Hi, I have a critical situation here. Suddenly all domain accounts locked out including domain admins account. What should i do? Is there any information which could be helpful. Thanks -- Ravi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] All Accounts Locket Out -- Including Domain Admin
Hi, Some how i was able to login using Enterprise admin account. But situation is still same. I have a few querries Is it possible that i am under attack? I have only those users locked out who were logged in. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] All Accounts Locket Out -- Including Domain Admin
Review the security audit log. What's it say there? Ravi Dogra wrote: Hi, Some how i was able to login using Enterprise admin account. But situation is still same. I have a few querries Is it possible that i am under attack? I have only those users locked out who were logged in. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] All Accounts Locket Out -- Including Domain Admin
Hi, As of now everything is working fine. Checking security logs. Will update on the list. Thanks Ravi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] All Accounts Locket Out -- Including Domain Admin
You might find this blog post useful http://blogs.technet.com/guarddog/archive/2006/06/05/432761.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
