All AD User Accounts Locked

[Guest]

Hi Guys

I have a problem with all my domain user accounts locking out at the same
time. It happens fairly randomly and we cannot identify any particular event
that causes this. We have a 2000 domain in mixed mode with 95/98/2000/xp
clients. Has anyone come across this before, or knows of a reason why this
is happening?

Also, does anyone have a script for unlocking all user accounts?

Thanks in advance for any help.

 

[Guest]

May not be your solution but probably you can for viruses.

For unlocking account, you can take a reference here.

http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/status/usstvb07.mspx

BR,
Denis

 

[Jimmy Andersson [MVP]]

This white paper describes how these settings affect account lockout and
makes some general recommendations for configuring and troubleshooting
account lockout issues.
http://www.microsoft.com/downloads/...90-a13b-4977-a4fc-3e2b67e3748e&DisplayLang=en

Regards,
/Jimmy

 

[Ryan Hanisco]

I have seen this a few times and it has always been a virus. Make sure you
have auditing on and then enable accounts. The watch to see the failed
attempts on passwords... as they fail, the accounts will lock -- if its the
virus problem.

I can't remember the virus specifically, but UPDATE and so a full virus
sweep of your environment. If you can't do that -- spend the money and
deploy a full AV solution, otherwise cash in your chips and go home.

If its just an odd matter with your accounts locking, you can find samples
of ADSI scripts that will loop through accounts and change an attribute. I
would bet dollars to doughnuts, though, that its a virus.

 

[Guest]

Thanks Ryan, I thought it was virus related, so I updated my antivirus after
the first time. Unfortunately I have a site in a different country that I
have less control over and it looks like that's where the virus is coming
from

I'll get the local IT guy to have a look for me. Do you know of anywhere I
can get a script to unlock all my accounts when it happens? I've been
looking in the Microsoft scripting archive but sadly it doesn't have anything
I can use.

Patrick.

 

[Rob]

I just suffered the same exact scenario, twice, from our HQ in another
country. The way to identify the problem quickly, is 1) review security
logs on domain controllers (security logs will indicate the workstation name
that is locking the account our. You will see many entries for your
accounts, but likely on one workstation. 2) As in our case, DNS/WINS/DHCP
did not have a listing for the workstation name. The accounts could only be
locked out via our Domain controllers, so I ran the netstat command on each
Domain Controller to see which one had a session with the suspected
workstation. 3) Once I identified which domain controller was locking the
accounts out, I ran NBTSTAT -c to review the remote name cache. There I
found the name & ip address pair. 4) Now that I had a IP address, I routed
all traffic from the offending host to NULL0 on our router or switch.

Rob

 

[Guest]

Thanks Rob. We identified the problem as being caused by the Gaobot virus
(updates didn't pick it up unfortunately). I've written a couple of scripts,
one to unlock all domain accounts if it happens again (not the most secure
thing in the world, but only temporary) and another one that runs at system
startup that deletes the virus, registry keys and modifies the hosts file,
oh, and emails me what it has done (as you can tell, i'm proud of that
one). If anyone wants any sample scripts, let me know.