all account were locked out on win2k3 server

February 18, 2011 at 06:26:04
Specs: Windows server 2003, 751/1GB
without warning all accounts on our domain controller was locked out. Right now my desktop clients are using cached credentials. I cannot login as administrator because the administrator account was locked out as well. Is there anyway to recover this domain controller? If i can't get it open soon i may have to install another domain controller...and that won't be fun for me or my users.
Please help out
don

See More: all account were locked out on win2k3 server

Report •

#1
February 18, 2011 at 07:22:40
Are you trying to login through a Remote Desktop or are you doing it at the server? I thought that the lock outs on the Administrator password did not apply to direct physical access to the server.

Are you sure you did not simply forget the password?

P.S. "If i can't get it open soon i may have to install another domain controller" will not work because first you can't login as admin to join the DC and second it would simply replicate the stat to the new DC.


Report •

#2
February 18, 2011 at 07:25:05
Are the users are using cached credentials from local machines to get access to the server? If so, why can't that be done with the administrator account? Didn't you ever login from a local machine as admin?

How do you know when a politician is lying? His mouth is moving.


Report •

#3
February 18, 2011 at 08:39:12
cocoaflavoured do you have access to the server when you are at the server?

Is this server connected to the internet? If so you very well may have been hacked. Disconnect the network from the internet. That is network as in everybody not just the server. Keep it this way until you have secure your network with a firewall.

Next come up in safe mode. See if you can logon. If you can't then move on to doing a repair install [not new install] of the server OS. See if this can gain you access.

You do have backups right?

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

Related Solutions

#4
February 19, 2011 at 02:38:43
@ace_omega:

Thanks for replying.
Log ins are failing from both console and remote desktop. I have the passwords written down so forgetting it is out of it.


Report •

#5
February 19, 2011 at 02:41:45
@guapo

Thank your for replying.
The users are logging in to their client machine. The server is for authentication. I confirmed that they cannot login by using their accounts on other machines and the login failed with a response "your account has been locked out. contact your administrator". But when i do so on the original client machines login is successful


Report •

#6
February 19, 2011 at 02:45:56
@wanderer
Thank your for posting a reply.
I do have a firewall: ISA server 2006. The logs show no sign of intrusion but i did notice that my network was suddenly flooded with worms showing up in system 32 folders of client systems. The client systems are running kaspersky workstation antivirus 6.0. These too do not detect an entry. I know this because my machine is a client system as well and the same event is noticed.
Unfortunately, I donot have backups.

Report •

#7
February 19, 2011 at 15:27:44
" I donot have backups"

You are in deep do do cocoaflavoured.
Start planning a complete rebuild of the network. Once in the hackers will hide back doors back into the system. Compete wipe and reload is the only option.

Not having log entries when you have the activity your describe is a sure sign of being hacked.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#8
February 21, 2011 at 19:16:40
@wanderer
You are absolutely right. After doing some digging i discovered that software has been planted on some systems on the network that is doing the following action:
1.logging in to the AD/workstations as anonymous logons
2 enumerating accounts on the AD
3 trying to do a brute force attack against accounts in the AD but the AD locks them out because of account lockout policy

now. I already know that i have to do a complete wipe. I know how to plug the enumeration attacks on the client systems.

But i need to find the software that has been planted on the client system so i can remove them.

Do you know if this is feasible at all? and if so, how may i track down such software and kill it?

I must thank you for you response so far. It has helped me to think in the right direction.


Report •

#9
February 22, 2011 at 08:49:37
If it were me I would first kill the internet connection. Wipe and reinstall the server. Wipe and reinstall the workstations. Install a new firewall router and then reconnect to the internet.

Then get on a regular server backup routine and run firewall software on the server as well as the workstations in addtion to the firewall router.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#10
February 22, 2011 at 22:06:07
Thanks again for your response,

I will commence on this course of action immediately.
I use kaspersky as my firewall on the client systems.
I have a firewall router (ISA 2006)
Do you have further suggestions for me?


Report •

#11
February 23, 2011 at 08:44:31
They got thru you ISA firewall. Put in a sonicwall or other firewall/router appliance on the internet connection.

Do understand that no amount of firewalls etc will protect the network when users download/connect to sites that invite the hackers into your network.

This is why limiting access can be so very important as well as educating staff on safe computing

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

Ask Question