Solved Need to enable local accounts

November 16, 2011 at 07:51:28
Specs: Server 2003
Good Morning,

One of our client's servers has an issue this morning where most of the vital services will not start up. They had alot of malware but in the cleaning process I believe most of the local user accounts were disabled and now the services will not start because of bad credential associations. Is there any way to change the credentials (the properties window will not show up when you double click services) or re-enable the local user accounts (AD will not startup so I cannot see the users through that interface)?


See More: Need to enable local accounts

Report •

✔ Best Answer
November 16, 2011 at 13:19:15
Only server and no backups.

Have you tried connecting via workstation using mmc? I have had success getting in this way when I couldn't gain access at the server.

When on the server have you tried going to control panel/admin tools/services?
If you can access services perhaps you can manually start them.
My concern is the NT Authority and System accounts have been compromised and I don't know of any repair of those accounts.

You can try this to gain access to the nt authority/system account
http://security.fnal.gov/cookbook/L...

If you can't access/control services as I can tell you are not going to be able to fix this.
This actually maybe a good thing which is to reload the OS from scratch and build the AD forest/domain again. It's what is recommended after a hacker compromise of a system which is what this sounds like.

Did they have any banking/customer accounting information on this server? If so all party's need to be notified that their information may have been compromised.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's



#1
November 16, 2011 at 08:00:04
Is this a DC? If it is, there are no local accounts, apart from an Administrator account in Active Directory restore mode. (I ask because you say "AD will not startup", which only seems to be relevant on a DC).

What are the error messages that you are getting for one of the services that won't start?


Report •

#2
November 16, 2011 at 08:15:41
Yeah, it's a DC. I can't see any error messages because for whatever reason the properties dialog box won't show for the services or the events, so I'm at a loss

I'm not sure how many of the local accounts were disabled, but one of our techs had disabled a few and moved them out of the administrator and users groups. I'm pretty sure this is what is causing the issue. He mentioned he was doing it and I didn't think much of it as he was working on removing some nasty Trojans/Malware, but when the server came up after the next reboot we starting having this issue, so I'm sure the accounts required to start the services are no longer enabled.

If I could get at the properties window I could change them, or if I could get at the user accounts I could enable them, but I haven't found a solution for either.


Report •

#3
November 16, 2011 at 09:10:46
Well, I'm confused. As I said (unless I've forgotten all I knew about Windows Server), there are no local accounts on a DC. You could try restarting in Active Directory restore mode and see if you can get any more sense of it there (it's a bit like Safe Mode for a DC).

Report •

Related Solutions

#4
November 16, 2011 at 09:23:04
Hi iJack,

Sorry, they were disabled in AD Users and Computers. Is there a way to re-enable them in Directory Services Restore Mode?


Report •

#5
November 16, 2011 at 09:40:30
Is this the only DC in the forest? It's a bit difficult to know what to suggest if Active Directory won't start. Are you able to open Event Viewer to see the messages about the failures?

Does the client have a recent backup of System State? If so, I would be inclined to restore it from Restore Mode.

But you might want to have a look at http://support.microsoft.com/kb/258062 to see if it is relevant.


Report •

#6
November 16, 2011 at 09:49:26
Yes, it's the only DC. I'm 98% its related to the disabled users and services not being able to start up. I believe once I get the services going with other accounts or re-enable the disabled accounts the services will be able to start and AD should be good. I just can't find a way to change the credentials on the service or re-enable the disabled users.

Report •

#7
November 16, 2011 at 10:34:29
I'm at a bit of a loss as to what else to suggest right now. I'm hoping that wanderer will pop up with some suggestions. He's pretty knowledeable about these rhings.

Report •

#8
November 16, 2011 at 10:38:42
Yeah, I'm at a loss too - been searching all over, but haven't found a solution yet. I really hope something turns up.

Report •

#9
November 16, 2011 at 11:40:22
Thanks for the plug ijack :-)

Hurricane09 we didn't get a answer concerning backups with system state.

As ijack suggests that would be the route to go which is do a system state restore to before the malware infection.

Pretty bad malware got on the server to begin with. Shows a lack of security/protection of the server. You need to understand that malware/virus's are used these days to load hacker tools on the compromised server. Most likely you still have back doors they left to get back into the system later.

But that is a discussion for another thread.

Question I have is can you logon as administrator and enable the user accounts?
Just trying to see how damaged the system is.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#10
November 16, 2011 at 11:51:06
Hi Wanderer,

We just started working with this company and one of the things we highly recommended was backups and security/protection - unfortunately they were slow to act so now we have this disaster on our hands.

As far as I can tell there isn't a system state backup, so I don't believe that is an option but I'll keep searching just in case they have one.

I can logon as administrator, but only a few of the services start and its not enough to enable ADUC I guess because when I attempt to go into that, it tells me the workstation driver hasn't loaded. If I try to double click any service the properties window doesnt come up so I can't even see what account the service is trying to start using.

Any help/suggestions would be greatly appreciated.


Report •

#11
November 16, 2011 at 13:19:15
✔ Best Answer
Only server and no backups.

Have you tried connecting via workstation using mmc? I have had success getting in this way when I couldn't gain access at the server.

When on the server have you tried going to control panel/admin tools/services?
If you can access services perhaps you can manually start them.
My concern is the NT Authority and System accounts have been compromised and I don't know of any repair of those accounts.

You can try this to gain access to the nt authority/system account
http://security.fnal.gov/cookbook/L...

If you can't access/control services as I can tell you are not going to be able to fix this.
This actually maybe a good thing which is to reload the OS from scratch and build the AD forest/domain again. It's what is recommended after a hacker compromise of a system which is what this sounds like.

Did they have any banking/customer accounting information on this server? If so all party's need to be notified that their information may have been compromised.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#12
April 19, 2012 at 21:40:28
I heard about the topic, I too have problems with the local accounts, There is a need to update these accounts, I find loss with some systems. Could you please produce some attachments regarding eh correct system.



Report •

Ask Question