all accounts locked out !!!

[Guest]

Incredible !

All domain users accounts got locked out !! I have no idea what was the
reason to happened this situation .Thanks god I had a open console in my
computer to access the LDAP !!

The default domain group policy shows me :
Account Lockout Policy was
-Account lockout duration =
30minutes
-Account lockout threshold = 6
attemps
-Reset account lockout after =
30 minutes

Now , the policy shows Account lockout threshold = 0 invalid attemps,
while i keep researching the possible cause of this critical issue.

How did I fixed it = umm i just run the microsoft's Lockout Status tool
trying to unlock accounts and suddenly all accounts came back to " unlock
user state".

I will thanks any comments !!!

 

[Guest]

I had a majority of accounts locked out one time but not all of them. I
found for my situation that it was due to a virus that got in through an un
patched windows 2000 server. I found domain accounts locked and local
accounts locked out. It seemed for my experience that the accounts that were
locked out were ones where the user had a windows 2000 pro machine. None of
my windows XP SP2 machine users were locked out. I don't know if that helps
but it happened to me a couple months ago.

 

[Andrei Ungureanu]

always enable audit on your domain accounts so you can track this kind of
problems.


--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader beta!
http://www.altairtech.ca/eventreader/default2.asp?ref=au

 

[Guest]

George i would like to know how did you find the solution to clean or
eliminate the "virus" that you mentioned how the possible cause of the
massive locked accounts in the domain"

Thanks

 

[Guest]

what happend is our firewall guys noticed traffic coming from the PC's where
the user accounts were locked out. So, we suspected a virus. Then, we
looked in the registry and found that in the run key, it had a suspicous file
and we also noticed a strange process running. So, we manually deleted the
reg key and killed the process and restarted the machine to make sure it was
gone. Our antivirus did not pick it up. we submitted it to them though and
they wrote a definition for us that would find it. I also found that it only
infected windows 2000 machines that had weak passwords for the local admin
account. Since the, i ran a script that resets the local admin password on a
list of machines so that i could ensure that the local passwords were the
same and that they were a stronger password.