Hi Robert I have two scripts we used a few weeks ago when we had this problem. They were written based on some of Robbie Allens scripting in his Tuna Book.
(See attached file: bulkunlock3.vbs)(See attached file: collect nt
usernames.vbs)
Create a file on the root of drive C called ntuserlist.txt and a second
file called lockedaccounts.txt. Edit both scripts to change the domain
name from "DOMAINNAME" to whatever your domain is. Run the Collect NT
usernames script - this will put up a done message box when it finishes and
provide a list of all users in your domain. Run the bulkunlock3 which will
read the list and unlock any locked accounts. The list of accounts that
were unlocked will show up in lockedaccounts.txt while a message box will
be provided with the number of accounts unlocked.
Regards;
James R. Day
National Parks Service - AD Core Team
(202) 354-1464
Fax (202) 371-1549
[EMAIL PROTECTED]
"Robert N. Leali"
<[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>
Sent by: cc: (bcc: James
Day/Contractor/NPS)
[EMAIL PROTECTED] Subject: [ActiveDir] Unlock user
account in mass
tivedir.org
08/05/2004 03:42 PM EST
Please respond to
ActiveDir
What is the easiest way to unlock multiple user accounts in Active
Directory? Random accounts locked up today and I need a way to unlock them
without having to go user by user. Is there a tool or script already
written?
Any help would be appreciated.
Robert
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick
Sent: Thursday, August 05, 2004 2:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Kerberos question
I am looking that up now
Rick Gasper
Manager, Network Services
King's College
133 N. River St
Wilkes-Barre PA 18711
PH: 570-208-5845
Fax: 570-208-6072
Cell: 570-760-0335
[EMAIL PROTECTED]
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Thursday, August 05, 2004 3:45 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Kerberos question
This stands out
Pre-authentication failed:
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick
Sent: Thursday, August 05, 2004 3:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Kerberos question
The program uses apache, I am still working with the vendor on this.
This is the error from the DC:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 8/5/2004
Time: 3:15:59 PM
User: NT AUTHORITY\SYSTEM
Computer: KINGS-DC01
Description:
Pre-authentication failed:
User Name: ricktest
User ID: KINGS\ricktest
Service Name: krbtgt/KINGS.EDU
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 10.1.18.48
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Rick Gasper
Manager, Network Services
King's College
133 N. River St
Wilkes-Barre PA 18711
PH: 570-208-5845
Fax: 570-208-6072
Cell: 570-760-0335
[EMAIL PROTECTED]
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Thursday, August 05, 2004 2:54 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Kerberos question
There are tools to monitor kerberos conversations (capture), but I think
you're likely better off using success/failure audit logging to see what's
going on, what's being attempted and where authentication is failing.
I think the following is most likely to be helpful
http://support.microsoft.com/default.aspx?kbid=326985
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick
Sent: Thursday, August 05, 2004 2:41 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Kerberos question
Question,: is there a utility that would use Kerberos to login (Kind of
like a test login utility)?
We are not experiencing any problem with logins anywhere (except as
mentioned).. This is the first non windows application we are deploying
that uses Kerberos (outside of windows). IT does recognize a bad password
as a bad password, but throws an error with the correct password is given:
ERROR(1006)
An error occurred in WebCT authorization.
Rick Gasper
Manager, Network Services
King's College
133 N. River St
Wilkes-Barre PA 18711
PH: 570-208-5845
Fax: 570-208-6072
Cell: 570-760-0335
[EMAIL PROTECTED]
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Thursday, August 05, 2004 2:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Kerberos question
So that leads to the next question then: do you have a problem going on?
If so, can you give some details?
Al
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick
Sent: Thursday, August 05, 2004 11:26 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Kerberos question
The application is called WebCT. www.webct.com. It is a distance learning
app that runs off a web server. Their documentation is some what lacking,
and their support is not really that good.
I do have everything set up as they request, so I was thinking that my
problem is on my end.
I do have a support call scheduled with them later today. I wanted to try
to rule out a AD problem.
Thanks
Rick Gasper
Manager, Network Services
King's College
133 N. River St
Wilkes-Barre PA 18711
PH: 570-208-5845
Fax: 570-208-6072
Cell: 570-760-0335
[EMAIL PROTECTED]
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Thursday, August 05, 2004 10:44 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Kerberos question
Sorry Rick. Thread overlap. :)
Whether or not you need to make a change depends on the application. For
example, if they use the operating system to handle the authentication
calls, then it should work fine, right? If they do something else, they
should have documented it and should tell you what is needed. What is the
application saying they need to do? Which application is it out of
curiosity?
Al
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick
Sent: Thursday, August 05, 2004 10:29 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Kerberos question
I think we have a miscom here: I have no 5.5 server-- I assume that you
mean exchange 5.5 (we are all ex2k3).
More details:
I have an app that runs on a win2k3 that uses either LDAP or Kerberos to
authenticate itâs users against our 2003 active directory. The app server
is part of our domain but the app that runs on it is a third party app that
says it can authenticate using Kerberos or LDAP.
My question is: Do I need to do anything to our Domain controller to allow
the app to talk to the domain controller?
Thanks,
Rick Gasper
Manager, Network Services
King's College
133 N. River St
Wilkes-Barre PA 18711
PH: 570-208-5845
Fax: 570-208-6072
Cell: 570-760-0335
[EMAIL PROTECTED]
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Thursday, August 05, 2004 9:53 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Kerberos question
Before going any further, how about trying to get the information from a
5.5 server locally using the admin utility?
The goal of looking there is to isolate whether the problem is on the 5.5
side or if the problem is elsewhere; just need to rule out there's a
problem with the 5.5 admin :)
Al
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick
Sent: Thursday, August 05, 2004 9:49 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Kerberos question
It is also windows 2003, but the software is a web app (webct). I am
confused as the whether the OS it doing the authentication or the app is.
Rick Gasper
Manager, Network Services
King's College
133 N. River St
Wilkes-Barre PA 18711
PH: 570-208-5845
Fax: 570-208-6072
Cell: 570-760-0335
[EMAIL PROTECTED]
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Thursday, August 05, 2004 9:08 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Kerberos question
What OS is the remote system and how is it connected?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick
Sent: Thursday, August 05, 2004 9:04 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Kerberos question
Quick question:
I have a remote system that needs to authenticate to our 2003 dcs, I have
the choices of Kerberos and ldap. I would perfer to use Kerberos for
security reasons, but I do not know if I need to do anything on the DC
server in order to make this work.
Does anyone have place they could point me to? I have the Kerberos trouble
shooting guide and am working through this.
Thanks
Rick Gasper
Manager, Network Services
King's College
133 N. River St
Wilkes-Barre PA 18711
PH: 570-208-5845
Fax: 570-208-6072
Cell: 570-760-0335
[EMAIL PROTECTED]
<<attachment: bulkunlock3.vbs>>
<<attachment: collect_nt_usernames.vbs>>
