Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Resetting disabled accounts
- Thread starter DTracy
- Start date
- Thread starter
- #3
Ok, here's the deal:
We are being attacked by a password hacker. Our network logon policy is setup for three tries and you're out for an hour. This hacker program hits everyone and locks them all out for an hour. Our emergency response 911 people also get locked out and I spend a lot of precious time keeping these accounts open. If I had a blanket application or instruction that I could run that would re-enable all locked out accounts it would help things out considerably. I have been searching the Microsoft KB for possible solutions, they say that trying to stop this is very hard, and the people that service our firewall ASA stuff say they have done all they can to block hackers. So, I'm down to manually doing this as best I can for now.
Regards,
David.
We are being attacked by a password hacker. Our network logon policy is setup for three tries and you're out for an hour. This hacker program hits everyone and locks them all out for an hour. Our emergency response 911 people also get locked out and I spend a lot of precious time keeping these accounts open. If I had a blanket application or instruction that I could run that would re-enable all locked out accounts it would help things out considerably. I have been searching the Microsoft KB for possible solutions, they say that trying to stop this is very hard, and the people that service our firewall ASA stuff say they have done all they can to block hackers. So, I'm down to manually doing this as best I can for now.
Regards,
David.
The way I would do this is with a script to search AD for all locked out accounts and then loop through those accounts until they are all unlocked.
I will see if I can "WHIP" something up tonight for you.
Oh, are these domain accounts or local server/pc accounts or both??
Hope this helps.
Thanks
John Fuhrman
Titan Global Services
I will see if I can "WHIP" something up tonight for you.
Oh, are these domain accounts or local server/pc accounts or both??
Hope this helps.
Thanks
John Fuhrman
Titan Global Services
I was able to throw this together in a couple minutes, but did not have time to test it 100%. Test it to make sure there are no syntax errors, but it should pickup your domain and read all users, and unlock all that are locked.
Let me know how it works.
Code:
'*********************************************
'* *
'* Author: djtech2k sportsfan@teamarsenal.net*
'* *
'*********************************************
Option Explicit
Dim objRootDSE, strDNSDomain, objCommand, objConnection, strQuery
Dim objRecordSet, strDN, strSAM, strBase, strFilter, strAttributes
Dim objUser
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection
' Search for Locked Users and Unlock Them
strBase = "<LDAP://" & strDNSDomain & ">"
strFilter = "(&(objectCategory=person)(objectClass=user))"
strAttributes = "distinguishedName,sAMAccountName"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
Do Until objRecordSet.EOF
strDN = objRecordSet.Fields("distinguishedName")
strSAM = objRecordSet.Fields("sAMAccountName")
Set objUser = GetObject("LDAP://" & strDN)
If objUser.IsAccountLocked = True Then
objUser.IsAccuntLocked = False
objUser.SetInfo
wscript.echo strSAM & " has been unlocked."
End If
objRecordSet.MoveNext
Loop
objConnection.CloseLet me know how it works.
Wouldn't it be better to find whoever is hacking your accounts instead of changing your security?
I'm not an expert on windows logging, but isn't there some kind of auditing that you can enable that at least reports the IP address of the offender?
I'm not an expert on windows logging, but isn't there some kind of auditing that you can enable that at least reports the IP address of the offender?
I actually thought I put that in my last post..lol.
You need to look at your security log on your DC. Use the "Find" command and for description, put in a username of a user you know thats been locked. Search for them and keep doing the search until you are out of records. In the failed attempts, it should show the machine name or IP of the machine that the failed logon attempts came from. If you need more info, you can crank up your logging levels, ie DSLog levels.
You need to look at your security log on your DC. Use the "Find" command and for description, put in a username of a user you know thats been locked. Search for them and keep doing the search until you are out of records. In the failed attempts, it should show the machine name or IP of the machine that the failed logon attempts came from. If you need more info, you can crank up your logging levels, ie DSLog levels.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question