RE: [ActiveDir] locked out
James,
Thanks for that. I do not have this problem though - I was taking onto the
end of a previous post to find out where to get the tool that was spoken of.
Thanks for the script too. Also note that on www.joeware.net web site there
is a tool been created to help with bulk unlock etc.
Rodney
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, 2 November 2004 11:39 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] locked out
Hi Rodney
Lockoutstatus.exe is part of the 2003 resource kit (and I would assume the
2000 resource kit as well) although it can be downloaded separately from
Microsoft. I did a search on google for lockoutstatus.exe to get it.
We saw pretty much the same thing about 3 months ago and it turned out to be
a new flavor of a popular internet worm that Symantec was unable to detect.
There have since been several other variations. In our case we audit for
logon failures, lockoutstatus gave us the DC to check, the audit log showed
several failures for a handful of accounts at a set time all coming from one
ip address and that ip had wintaskx and payload both running - the viral
infections.
Good luck tracking down the culprit. If you do get it and you need a bulk
unlock script:
' Open the file system object - allows connections into the file system
Set fso = CreateObject("Scripting.FileSystemObject")
set fso2 = CreateObject("Scripting.FileSystemObject")
' Opens a file for reading
lock = 0
set myreadfyle = fso.opentextfile("c:\ntuserlist.txt")
' Sets up a loop. This will read every line in the text file and perform
operations until the last line of the text file set myfile2 =
fso2.opentextfile("c:\lockedaccounts.txt",2)
While Not myreadfyle.AtEndOfStream
' Read the line, splitting it at the commas for reading. The split command
looks for the value in brackets (,) and ' splits the line there. It will
become an array now. the value
dnarray(0) will be column one from the csv.
' dnarray(1) is then column two.
strusername = myreadfyle.readline
strdomain = "hq"
' dnarray = split(fyleline,",",-1,1)
' This line echos the values to a message box on the screen. Again, values
in the "s are absolute, values ' outside the "s are variables, and the & is
used to append the different value sets together into one line.
' wscript.echo "The first value is " & dnarray(0) & " The second value
is " & dnarray(1)
' ends the while statement - while end. In VBS while end will fail, in
dotnet it works.
set objuser=getobject("WinNT://"& strdomain & "/" & strUsername)
if objuser.IsAccountLocked= True then
myfile2.writeline "" & strusername
objuser.isaccountlocked=false
objuser.setinfo
lock = lock + 1
' wscript.echo strusername & " unlocked"
else
' wscript.echo strusername & " not locked"
end if
WEND
wscript.echo lock & " accounts unlocked - see c:\lockedaccounts.txt for a
list of usernames"
myreadfyle.close
You will need to pre-create the ntuserlist.txt file with a full list of your
users, and a blank file called lockedaccounts.txt on the root of drive C for
logging the locked accounts.
Regards;
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]
Rodney Gardiner
<[EMAIL PROTECTED]To:
[EMAIL PROTECTED]
m.au> cc: (bcc: James
Day/Contractor/NPS)
Sent by: Subject: RE:
[ActiveDir] locked out
[EMAIL PROTECTED]
tivedir.org
11/02/2004 09:16 AM
ZE11
Please respond to
ActiveDir
Just curious as to where this lockedoutstatus.exe is kept?
Rodney
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Randy White
Sent: Tuesday, 2 November 2004 7:31 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] locked out
This is probably caused by a virus. Use lockedoutstatus.exe to find out
what where the lock outs are originating. Then check the event log of that
DC to find out the perpetrating computer.
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, November 01, 2004 2:29 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] locked out
All gurus,
Wonder if any of you have experienced this before.
Suddently over the weekend,
RE: [ActiveDir] locked out
Windows 2003 Resource Kit -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Monday, November 01, 2004 4:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] locked out Just curious as to where this lockedoutstatus.exe is kept? Rodney _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy White Sent: Tuesday, 2 November 2004 7:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] locked out This is probably caused by a virus. Use lockedoutstatus.exe to find out what where the lock outs are originating. Then check the event log of that DC to find out the perpetrating computer. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, November 01, 2004 2:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] locked out All gurus, Wonder if any of you have experienced this before. Suddently over the weekend, all domain accounts ( i mean all ) are locked out except the domain admin accounts. What could have caused this problem ? The only clue that I had is this is the week to change the summer time back but we had this done every year, had never had this issue before. Could this be a worm of some sort of virus. Looking into our security log it did not show me nything out of norm ( faild security , locked out has been turned on) Any suggestions will be appreciated. Regards, Sandy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] locked out
Hi Rodney
Lockoutstatus.exe is part of the 2003 resource kit (and I would assume the
2000 resource kit as well) although it can be downloaded separately from
Microsoft. I did a search on google for lockoutstatus.exe to get it.
We saw pretty much the same thing about 3 months ago and it turned out to
be a new flavor of a popular internet worm that Symantec was unable to
detect. There have since been several other variations. In our case we
audit for logon failures, lockoutstatus gave us the DC to check, the audit
log showed several failures for a handful of accounts at a set time all
coming from one ip address and that ip had wintaskx and payload both
running - the viral infections.
Good luck tracking down the culprit. If you do get it and you need a bulk
unlock script:
' Open the file system object - allows connections into the file system
Set fso = CreateObject("Scripting.FileSystemObject")
set fso2 = CreateObject("Scripting.FileSystemObject")
' Opens a file for reading
lock = 0
set myreadfyle = fso.opentextfile("c:\ntuserlist.txt")
' Sets up a loop. This will read every line in the text file and perform
operations until the last line of the text file
set myfile2 = fso2.opentextfile("c:\lockedaccounts.txt",2)
While Not myreadfyle.AtEndOfStream
' Read the line, splitting it at the commas for reading. The split command
looks for the value in brackets (,) and
' splits the line there. It will become an array now. the value
dnarray(0) will be column one from the csv.
' dnarray(1) is then column two.
strusername = myreadfyle.readline
strdomain = "hq"
' dnarray = split(fyleline,",",-1,1)
' This line echos the values to a message box on the screen. Again, values
in the "s are absolute, values
' outside the "s are variables, and the & is used to append the different
value sets together into one line.
' wscript.echo "The first value is " & dnarray(0) & " The second
value is " & dnarray(1)
' ends the while statement - while end. In VBS while end will fail, in
dotnet it works.
set objuser=getobject("WinNT://"& strdomain & "/" & strUsername)
if objuser.IsAccountLocked= True then
myfile2.writeline "" & strusername
objuser.isaccountlocked=false
objuser.setinfo
lock = lock + 1
' wscript.echo strusername & " unlocked"
else
' wscript.echo strusername & " not locked"
end if
WEND
wscript.echo lock & " accounts unlocked - see c:\lockedaccounts.txt for a
list of usernames"
myreadfyle.close
You will need to pre-create the ntuserlist.txt file with a full list of
your users, and a blank file called lockedaccounts.txt on the root of drive
C for logging the locked accounts.
Regards;
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]
Rodney Gardiner
<[EMAIL PROTECTED]To: [EMAIL PROTECTED]
m.au> cc: (bcc: James
Day/Contractor/NPS)
Sent by: Subject: RE: [ActiveDir] locked
out
[EMAIL PROTECTED]
tivedir.org
11/02/2004 09:16 AM
ZE11
Please respond to
ActiveDir
RE: [ActiveDir] locked out
Rodney, this is a free download from ms under account management tools. Search under MS, you will find it. +-+ Regards, Sandy Wu LADOTD IT. Tech. Support Office: (225) 379-1625 Hrs:6:30AM-3:00PM Central Time Email:[EMAIL PROTECTED] +-+ Rodney Gardiner To Sent by: [EMAIL PROTECTED] [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] locked out 11/01/2004 04:16 PM Please respond to [EMAIL PROTECTED] tivedir.org Just curious as to where this lockedoutstatus.exe is kept? Rodney _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy White Sent: Tuesday, 2 November 2004 7:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] locked out This is probably caused by a virus. Use lockedoutstatus.exe to find out what where the lock outs are originating. Then check the event log of that DC to find out the perpetrating computer. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, November 01, 2004 2:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] locked out All gurus, Wonder if any of you have experienced this before. Suddently over the weekend, all domain accounts ( i mean all ) are locked out except the domain admin accounts. What could have caused this problem ? The only clue that I had is this is the week to change the summer time back but we had this done every year, had never had this issue before. Could this be a worm of some sort of virus. Looking into our security log it did not show me nything out of norm ( faild security , locked out has been turned on) Any suggestions will be appreciated. Regards, Sandy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] locked out
Just curious as to where this lockedoutstatus.exe is kept? Rodney _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy White Sent: Tuesday, 2 November 2004 7:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] locked out This is probably caused by a virus. Use lockedoutstatus.exe to find out what where the lock outs are originating. Then check the event log of that DC to find out the perpetrating computer. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, November 01, 2004 2:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] locked out All gurus, Wonder if any of you have experienced this before. Suddently over the weekend, all domain accounts ( i mean all ) are locked out except the domain admin accounts. What could have caused this problem ? The only clue that I had is this is the week to change the summer time back but we had this done every year, had never had this issue before. Could this be a worm of some sort of virus. Looking into our security log it did not show me nything out of norm ( faild security , locked out has been turned on) Any suggestions will be appreciated. Regards, Sandy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] locked out
Was it a virus?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Monday, November 01, 2004 3:52
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir]
locked out
Randy, Thanks for your tip,I was able to find out the
culprit. +-+Regards,
Sandy+-+
"Randy White"
<[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED]
11/01/2004 02:30 PM
Please respond
to[EMAIL PROTECTED]
To
<[EMAIL PROTECTED]>
cc
Subject
RE: [ActiveDir] locked
out
This is probably caused by a virus. Use lockedoutstatus.exe to find
out what where the lock outs are originating. Then check the event log of
that DC to find out the perpetrating computer.
From:[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED] Sent: Monday,
November 01, 2004 2:29 PM To:
[EMAIL PROTECTED] Subject: [ActiveDir]
locked out All gurus, Wonder if any of you
have experienced this before. Suddently
over the weekend, all domain accounts ( i mean all ) are locked
out except the domain admin accounts. What could have
caused this problem ? The only clue
that I had is this is the week to change the summer time back but we had this done every year, had never had this
issue before. Could this be a worm of some sort
of virus. Looking into our security log it did
not show me nything out of norm ( faild security , locked out has been turned on) Any suggestions will be appreciated. Regards, Sandy
~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] locked out
Randy, Thanks for your tip,I was able to find out the culprit. +-+ Regards, Sandy +-+ "Randy White" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 11/01/2004 02:30 PM Please respond to [EMAIL PROTECTED] To <[EMAIL PROTECTED]> cc Subject RE: [ActiveDir] locked out This is probably caused by a virus. Use lockedoutstatus.exe to find out what where the lock outs are originating. Then check the event log of that DC to find out the perpetrating computer. From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, November 01, 2004 2:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] locked out All gurus, Wonder if any of you have experienced this before. Suddently over the weekend, all domain accounts ( i mean all ) are locked out except the domain admin accounts. What could have caused this problem ? The only clue that I had is this is the week to change the summer time back but we had this done every year, had never had this issue before. Could this be a worm of some sort of virus. Looking into our security log it did not show me nything out of norm ( faild security , locked out has been turned on) Any suggestions will be appreciated. Regards, Sandy
RE: [ActiveDir] locked out
This is probably caused by a virus. Use lockedoutstatus.exe to find out what where the lock outs are originating. Then check the event log of that DC to find out the perpetrating computer. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, November 01, 2004 2:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] locked out All gurus, Wonder if any of you have experienced this before. Suddently over the weekend, all domain accounts ( i mean all ) are locked out except the domain admin accounts. What could have caused this problem ? The only clue that I had is this is the week to change the summer time back but we had this done every year, had never had this issue before. Could this be a worm of some sort of virus. Looking into our security log it did not show me nything out of norm ( faild security , locked out has been turned on) Any suggestions will be appreciated. Regards, Sandy
