All users disabled...

[mike]

Yesterday around noon, my win2000 server set all users to
disabled status. About two hours later two others offices
(same domain) reported the same occurance. Users access is
set to never expire. Any ideas how this could occur?

 

[Steven Umbach]

I don't know exactly what happed, but it sounds like either a malicious user
[possibly remote control]obtained administrator access or a trojan of some sort
did and then proceeded to disable user accounts, maybe by a script. Your domain
was definitely compromised somehow. If you had enabled auditing of account
management, then you may have some clue as to what happened. Make sure you
review your security logs for any possible clues. I would immediately check
membership of administrators groups and change passwords of administrators using
complex passwords. Of course you will need to scan your servers for viruses and
trojans, review your password/account lockout policy, and all other aspects of
your network security. The links below may help.

http://securityadmin.info/faq.asp#hacked --- From FAQ.
http://securityadmin.info/faq.asp#re-secure --- From FAQ.
http://securityadmin.info/faq.asp#harden --- From FAQ.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/defa
ult.asp

 

[jack]

This happened to me at a bank one time. It really freaked everyone out.
Come to find out, someone had set all the accounts to expire on the same
date.