Comments on: AD Account Bulk-Unlock, or: Active Directory Denial of Service Attacks

By: Faiz

Faiz — Wed, 03 Mar 2010 23:32:25 +0000

define “permissions to unlock”? because using the LockOutStatus tool or active directory, we are able to unlock those accounts which are still locked, even though reported by the scripted to have been unlocked.

By: Clay

Clay — Wed, 03 Mar 2010 17:35:22 +0000

Are you using an account with permissions to unlock? There is no error checking in the unlock portion of the script, so for example if you run the script with an account that does not have the unlock account permissions, it will report the accounts as unlocked, even when they aren’t.

By: Faiz

Faiz — Wed, 03 Mar 2010 04:39:32 +0000

i ran the script, but double checking the same accounts that was reported to be unlocked, using the LockOutStatus tool, it still shows the same account as locked. any ideas what’s going on?

By: Matthew

Matthew — Tue, 16 Feb 2010 14:28:00 +0000

@Ben/Clay:

The script currently only scans the domain of the account that runs it.

If you want to run this script against any other domain than the account you’re using to run it, it will require modification.

By: Clay

Clay — Thu, 11 Feb 2010 20:54:09 +0000

No, it does not need to be run from a DC, and no, it needs no modification.

By: Ben

Ben — Tue, 09 Feb 2010 11:54:39 +0000

Hi all,

Just a few questions i need answering:

Does this script need to be run from the DC?

Does the script need altering? eg. domain name needs entering.

Thanks

Ben

By: Burton Haynes

Burton Haynes — Wed, 20 Jan 2010 05:57:33 +0000

Hell yeah, this post is really what I am looking for. I am really lucky today. Thank you admin!

By: lucky worlock

lucky worlock — Mon, 11 Jan 2010 05:58:17 +0000

Thank you very much… it save me a lot..

By: mlundy

mlundy — Fri, 08 Jan 2010 00:09:53 +0000

Is this script run on the DC/

By: Awais

Awais — Mon, 23 Nov 2009 19:47:08 +0000

I have found the argument, below is how i restrict/filter the search.

ActFilter = “(&(&(ObjectCategory=person)(ObjectClass=user) (UserPrincipalName=MyAccounts*)))”

Thanks
AAA

By: Awais

Awais — Mon, 23 Nov 2009 16:32:17 +0000

Hey,
1st Thanks for th post and the script.
Problem,
when i ran this script it started unlocking all/every account it finds, That is something That I did not want to do.
I want to Only Unlock accounts first that gets locked in today and most important thing about those is I want to only Unlock specific account For Example
UNLOCK ALL Accounts WHERE Account_Name LIKE ‘DELL%’
Mean unlock all account where account name starts with ‘DELL’

I’ll greatly appreciate any help on this.

Thanks.

By: mike

mike — Tue, 03 Nov 2009 17:02:03 +0000

Just had to say thanks on this. Blew up my certs on my domain controllers and locked out everyone (21,000 accounts). fixed the cert and a frantically googled a way to mass unlock accounts. I was in the clear in 5 minutes. IOU one big beer.

By: Clay

Clay — Fri, 11 Sep 2009 12:55:57 +0000

Hi Joseph. This solution is still possible because the builtin Active Directory administrator account can never really be locked out. As long as you know the password, it is possible to log on to a domain controller with that account. This is one good reason to not disable that account, although renaming it and securing it with a strong password are a good idea. Hope that helps.

By: Joseph

Joseph — Fri, 11 Sep 2009 01:42:39 +0000

Is this solution possible if I am log-in using the guest account? because our active directory administrator account was also locked.

By: Gavin Hamill

Gavin Hamill — Sat, 29 Aug 2009 13:54:40 +0000

This issue has thankfully now been traced to a remote machine with a virus on a bridged VPN.

I did try Lockoutstatus.exe yesterday as part of the troubleshooting but found that it misreported thus adding confusion. We have 3 DCs, of which two were marked ‘Unlock (Auto Unlock)’ despite the fact that the account in question was definitely locked.

My stumbing was in the Windows security log – I was looking for one of the columns to show the locked username. My bad – in the end all I had to do was look in a couple of the ‘Failed Audit’ entries and I was presented with the most-recently locked username along with the IP of the workstation. I then firewalled it from everything but the DHCP server (fortunately DHCP is not run by the DCs!) so it would stick on the same IP.

I’m looking forward to slinging all hell at the sysadmins of that remote site on Monday since their incompetence damaged my Friday night. :)