Here's some old ASP script I wrote years ago to help me with a DoS
lockout issue I was having.
Sub Global_Unlock
'This sub was built to undo a DOS account lockout flood that I
encountered on a production server.
'Because Account Lockout policies were in place and over 1500 users in
AD tree I needed a quick
'way to unlock everyone once I resolved the DOS Flood. There is no
visible link to this Sub
'but it can still be called by calling
"display_usergroup.asp?action=globalunlock"
response.write "Unlocking..."
response.flush
Set BaseObj = GetObject("WinNT://" & Application("domain") & "/" &
Application("Server"))
%>
<table width="100%" name="rsTable" id="rsTable" cols=6>
<TR>
<TH><Acronym title="Sort by Username" onClick="table_sort(0)"
onMouseOver="this.style.cursor='hand';">< UserName ></acronym>
</TH>
<TH><Acronym title="Sort by Full Name" onClick="table_sort(1)"
onMouseOver="this.style.cursor='hand';">< Full
Name ></acronym></TH>
<TH><Acronym title="Sort by Description" onClick="table_sort(2)"
onMouseOver="this.style.cursor='hand';">< Description ></acron
ym></TH>
<TH><Acronym title="Sort by Active" onClick="table_sort(3)"
onMouseOver="this.style.cursor='hand';">< Active ></acronym></
TH>
<TH><Acronym title="Sort by Locked" onClick="table_sort(4)"
onMouseOver="this.style.cursor='hand';">< Locked ></acronym></
TH>
<TH>Manage</TH>
</TR>
<%
BaseObj.Filter = Array("User")
For Each user in BaseObj
Set objUser = GetObject("WinNT://" & Application("domain") & "/" &
Application("Server") & "/" & user.name & ",user")
memstatus = "<font color='#00FF00'>Enabled</font>"
If objUser.AccountDisabled = TRUE Then memstatus = "<font
color='#FF0000'>Disabled</font>"
acclockout = "<font color='#00FF00'>Unlocked</font>"
If Len(Request.QueryString("rev")) Then
If objUser.isaccountlocked = False and user.name <> "administrator"
Then
objUser.IsAccountLocked = True
objUser.Setinfo
End If
Else
If objUser.isaccountlocked = True Then
objUser.IsAccountLocked = False
objUser.Setinfo
End If
End If
If objUser.isaccountlocked = True Then acclockout = "<font
color='#FF0000'>Locked</font>"
Response.write "<TR>"
Response.write "<TD>" & user.name & "</td>"
Response.write "<TD>" & objUser.FullName & "</td>"
Response.write "<TD>" & objUser.Description & "</td>"
Response.write "<TD>" & memstatus & "</td>"
Response.write "<TD>" & acclockout & "</td>"
Response.write "<TD><a href=""manage_user.asp?user=" & user.name &
""">Manage</a></td>"
Response.write "</tr>"
Response.Flush
Next
response.write "</table>"
End Sub
Thanks,
Jake Gardner
TTC Network Administrator
Ext. 246
________________________________
From: Andy Crellin [mailto:[email protected]]
Sent: Thursday, January 08, 2009 11:29 AM
To: NT System Admin Issues
Subject: All AD Accounts getting gradually locked out
OK, here's a teaser...
All of our AD accounts are gradually being locked out. I have one guy
searching for locked out accounts and unlocking them (and they do not
get re-locked out) but with 2500 accounts this is more than a PITA. Now,
this stinks of a brute force attack on an enumerated list of accounts on
the network (we allow 10 attempts then lockout for 30mins), but we can't
find _anything_ that looks like this. To compound matters, we have also
had a small outbreak of WORM_DOWNAD.AD which has been contained and
managed well, but I think this is a red herring as that worm's symptoms
are nothing like what we are seeing (and there is no correlation).
Does anyone know of a way to find out what processes are attempting to
make a logon attempt (we have about 10 DCs spread about the place) to an
account - bearing in mind it could be any one of 2500 accounts? Also, is
it possible to find out where the logon attempt that caused an account
lock came from?
Cheers, and TIA,
Andy.
Andy Crellin
Technical Services Manager
Leonard Cheshire Disability
Telephone: 01904 479200
Email: [email protected]
Change the way you see disability. Find out more at
www.CreatureDiscomforts.org <http://www.creaturediscomforts.org/>
Our London Marathon places are almost sold out!
Call 020 3242 0376 now to reserve one of the last few places available,
or e-mail [email protected]
Internet communications are not secure and therefore Leonard Cheshire
Disability does not accept any liability for the content of this
message. Any views or opinions presented are solely those of the author
and do not necessarily represent those of Leonard Cheshire Disability.
If you have received this transmission in error, please contact the
sender and delete it immediately.
Leonard Cheshire Disability is a company limited by guarantee,
registered in England no: 552847, and a registered charity no: 218186
(England & Wales) and no: SC005117 (Scotland) VAT no: 899 3223 75.
Registered office: 66 South Lambeth Road, London, SW8 1RL.
***Teletronics Technology Corporation***
This e-mail is confidential and may also be privileged. If you are not the
addressee or authorized by the addressee to receive this e-mail, you may not
disclose, copy, distribute, or use this e-mail. If you have received this
e-mail in error, please notify the sender immediately by reply e-mail or by
telephone at 267-352-2020 and destroy this message and any copies. Thank you.
*******************************************************************
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
