All AD User Accounts Locked

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Guys

I have a problem with all my domain user accounts locking out at the same
time. It happens fairly randomly and we cannot identify any particular event
that causes this. We have a 2000 domain in mixed mode with 95/98/2000/xp
clients. Has anyone come across this before, or knows of a reason why this
is happening?

Also, does anyone have a script for unlocking all user accounts?

Thanks in advance for any help.
7 answers Last reply
More about user accounts locked
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    May not be your solution but probably you can for viruses.

    For unlocking account, you can take a reference here.

    http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/status/usstvb07.mspx

    BR,
    Denis

    "Patrick Ruane" wrote:

    > Hi Guys
    >
    > I have a problem with all my domain user accounts locking out at the same
    > time. It happens fairly randomly and we cannot identify any particular event
    > that causes this. We have a 2000 domain in mixed mode with 95/98/2000/xp
    > clients. Has anyone come across this before, or knows of a reason why this
    > is happening?
    >
    > Also, does anyone have a script for unlocking all user accounts?
    >
    > Thanks in advance for any help.
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    This white paper describes how these settings affect account lockout and
    makes some general recommendations for configuring and troubleshooting
    account lockout issues.
    http://www.microsoft.com/downloads/details.aspx?FamilyID=8c8e0d90-a13b-4977-a4fc-3e2b67e3748e&DisplayLang=en

    Regards,
    /Jimmy
    --
    Jimmy Andersson, Q Advice AB
    Microsoft MVP - Directory Services
    ---------- www.qadvice.com ----------


    "Patrick Ruane" <Patrick Ruane@discussions.microsoft.com> wrote in message
    news:336F9C48-EEA3-429B-AE10-78976351D5F0@microsoft.com...
    > Hi Guys
    >
    > I have a problem with all my domain user accounts locking out at the same
    > time. It happens fairly randomly and we cannot identify any particular
    > event
    > that causes this. We have a 2000 domain in mixed mode with 95/98/2000/xp
    > clients. Has anyone come across this before, or knows of a reason why
    > this
    > is happening?
    >
    > Also, does anyone have a script for unlocking all user accounts?
    >
    > Thanks in advance for any help.
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I have seen this a few times and it has always been a virus. Make sure you
    have auditing on and then enable accounts. The watch to see the failed
    attempts on passwords... as they fail, the accounts will lock -- if its the
    virus problem.

    I can't remember the virus specifically, but UPDATE and so a full virus
    sweep of your environment. If you can't do that -- spend the money and
    deploy a full AV solution, otherwise cash in your chips and go home.

    If its just an odd matter with your accounts locking, you can find samples
    of ADSI scripts that will loop through accounts and change an attribute. I
    would bet dollars to doughnuts, though, that its a virus.

    --
    Ryan Hanisco
    MCSE, MCDBA
    Flagship Integration Services


    "Patrick Ruane" <Patrick Ruane@discussions.microsoft.com> wrote in message
    news:336F9C48-EEA3-429B-AE10-78976351D5F0@microsoft.com...
    > Hi Guys
    >
    > I have a problem with all my domain user accounts locking out at the same
    > time. It happens fairly randomly and we cannot identify any particular
    event
    > that causes this. We have a 2000 domain in mixed mode with 95/98/2000/xp
    > clients. Has anyone come across this before, or knows of a reason why
    this
    > is happening?
    >
    > Also, does anyone have a script for unlocking all user accounts?
    >
    > Thanks in advance for any help.
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Thanks Ryan, I thought it was virus related, so I updated my antivirus after
    the first time. Unfortunately I have a site in a different country that I
    have less control over and it looks like that's where the virus is coming
    from :(

    I'll get the local IT guy to have a look for me. Do you know of anywhere I
    can get a script to unlock all my accounts when it happens? I've been
    looking in the Microsoft scripting archive but sadly it doesn't have anything
    I can use.

    Patrick.

    "Ryan Hanisco" wrote:

    > I have seen this a few times and it has always been a virus. Make sure you
    > have auditing on and then enable accounts. The watch to see the failed
    > attempts on passwords... as they fail, the accounts will lock -- if its the
    > virus problem.
    >
    > I can't remember the virus specifically, but UPDATE and so a full virus
    > sweep of your environment. If you can't do that -- spend the money and
    > deploy a full AV solution, otherwise cash in your chips and go home.
    >
    > If its just an odd matter with your accounts locking, you can find samples
    > of ADSI scripts that will loop through accounts and change an attribute. I
    > would bet dollars to doughnuts, though, that its a virus.
    >
    > --
    > Ryan Hanisco
    > MCSE, MCDBA
    > Flagship Integration Services
    >
    >
    > "Patrick Ruane" <Patrick Ruane@discussions.microsoft.com> wrote in message
    > news:336F9C48-EEA3-429B-AE10-78976351D5F0@microsoft.com...
    > > Hi Guys
    > >
    > > I have a problem with all my domain user accounts locking out at the same
    > > time. It happens fairly randomly and we cannot identify any particular
    > event
    > > that causes this. We have a 2000 domain in mixed mode with 95/98/2000/xp
    > > clients. Has anyone come across this before, or knows of a reason why
    > this
    > > is happening?
    > >
    > > Also, does anyone have a script for unlocking all user accounts?
    > >
    > > Thanks in advance for any help.
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I just suffered the same exact scenario, twice, from our HQ in another
    country. The way to identify the problem quickly, is 1) review security
    logs on domain controllers (security logs will indicate the workstation name
    that is locking the account our. You will see many entries for your
    accounts, but likely on one workstation. 2) As in our case, DNS/WINS/DHCP
    did not have a listing for the workstation name. The accounts could only be
    locked out via our Domain controllers, so I ran the netstat command on each
    Domain Controller to see which one had a session with the suspected
    workstation. 3) Once I identified which domain controller was locking the
    accounts out, I ran NBTSTAT -c to review the remote name cache. There I
    found the name & ip address pair. 4) Now that I had a IP address, I routed
    all traffic from the offending host to NULL0 on our router or switch.

    Rob


    "Patrick Ruane" <Patrick Ruane@discussions.microsoft.com> wrote in message
    news:336F9C48-EEA3-429B-AE10-78976351D5F0@microsoft.com...
    > Hi Guys
    >
    > I have a problem with all my domain user accounts locking out at the same
    > time. It happens fairly randomly and we cannot identify any particular
    > event
    > that causes this. We have a 2000 domain in mixed mode with 95/98/2000/xp
    > clients. Has anyone come across this before, or knows of a reason why
    > this
    > is happening?
    >
    > Also, does anyone have a script for unlocking all user accounts?
    >
    > Thanks in advance for any help.
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Thanks Rob. We identified the problem as being caused by the Gaobot virus
    (updates didn't pick it up unfortunately). I've written a couple of scripts,
    one to unlock all domain accounts if it happens again (not the most secure
    thing in the world, but only temporary) and another one that runs at system
    startup that deletes the virus, registry keys and modifies the hosts file,
    oh, and emails me what it has done :) (as you can tell, i'm proud of that
    one). If anyone wants any sample scripts, let me know.

    "Rob" wrote:

    > I just suffered the same exact scenario, twice, from our HQ in another
    > country. The way to identify the problem quickly, is 1) review security
    > logs on domain controllers (security logs will indicate the workstation name
    > that is locking the account our. You will see many entries for your
    > accounts, but likely on one workstation. 2) As in our case, DNS/WINS/DHCP
    > did not have a listing for the workstation name. The accounts could only be
    > locked out via our Domain controllers, so I ran the netstat command on each
    > Domain Controller to see which one had a session with the suspected
    > workstation. 3) Once I identified which domain controller was locking the
    > accounts out, I ran NBTSTAT -c to review the remote name cache. There I
    > found the name & ip address pair. 4) Now that I had a IP address, I routed
    > all traffic from the offending host to NULL0 on our router or switch.
    >
    > Rob
    >
    >
    > "Patrick Ruane" <Patrick Ruane@discussions.microsoft.com> wrote in message
    > news:336F9C48-EEA3-429B-AE10-78976351D5F0@microsoft.com...
    > > Hi Guys
    > >
    > > I have a problem with all my domain user accounts locking out at the same
    > > time. It happens fairly randomly and we cannot identify any particular
    > > event
    > > that causes this. We have a 2000 domain in mixed mode with 95/98/2000/xp
    > > clients. Has anyone come across this before, or knows of a reason why
    > > this
    > > is happening?
    > >
    > > Also, does anyone have a script for unlocking all user accounts?
    > >
    > > Thanks in advance for any help.
    >
    >
    >
  7. Quote:
    Archived from groups: microsoft.public.win2000.active_directory (More info?)

    May not be your solution but probably you can for viruses.

    For unlocking account, you can take a reference here.

    http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/status/usstvb07.mspx

    BR,
    Denis

    "Patrick Ruane" wrote:

    > Hi Guys
    >
    > I have a problem with all my domain user accounts locking out at the same
    > time. It happens fairly randomly and we cannot identify any particular event
    > that causes this. We have a 2000 domain in mixed mode with 95/98/2000/xp
    > clients. Has anyone come across this before, or knows of a reason why this
    > is happening?
    >
    > Also, does anyone have a script for unlocking all user accounts?
    >
    > Thanks in advance for any help.


    Hi there,

    I am looking for Patrick Ruane ex Castrol, Pangbourne UK. He knew Barry Purdon very well. If anyone out there knows him please email us!

    Kind regards
    Barry Purdon
    barry8@telkomsa.net
Ask a new question

Read More

Domain Microsoft User Accounts Active Directory Windows