Announcement

Collapse
No announcement yet.

All domain admin accounts locked out

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • All domain admin accounts locked out

    Hi,

    I should prefix this post by noting that I fully accept I'm a moron, and apologise in advance for my sheer ineptitude, but I'd be extremely grateful for any advice.

    Basically, the scenario is that both domain admin accounts on my small domain have been locked out/had their passwords reset, and my question is, will any of the utilities/methods for resetting the password via DSRM also *unlock* the account, if that is indeed its state?

    The background to this is rather embarrassing. I've been trying to add an Ubuntu server as an AD member server using SADMS. For those unfamiliar with the SADMS tool, it allows SSO between Windows AD boxes and Linux machines (i.e. it creates computer accounts on the domain for Linux machines, and allows AD users to sign on to Linux machines as they would on any other machine).

    What I believe has happened, is that when I tried to add the computer account using the domain's administrator account, authentication failed enough times to lock out the account, so I used my user account (which despite all the recommendations to the contrary) is also a domain admin account. The domain membership request succeeded (i.e. a computer account created on the domain for the Linux machine, and I was able to log on to the box using an AD account). However, at some stage after this, Samba, or Winbind, or some other Linux tool has repeatedly tried to log on using my domain admin account, and it has trigged the AD lock account GPO for unsuccessful logins.

    Interestingly, when I try and logon to the machine, it doesn't tell me that the account is locked out; it warns that the username/password was not recognised; the usual dialog you get when you try to logon with invalid credentials or when the account is not recognised on the domain. I'd have thought if the account was *locked* it would tell me that, rather than using a vague error message though.

    Regardless, I can boot into DRMS as the local administrator, and I'm happy to give one of the password reset tools a go, but my question is, if the account is locked, will using one of the tools also unlock the account, or just change the password? Or does the act of changing the password also *unlock* the account?

    Any advice gratefully received. I appreciate completely how stupid of me it was to try this without having an account dedicated for recovery from this sort of situation, but well, you live and learn.

    Cheers,

    Tom
    Last edited by purplebadger; 8th February 2008, 00:40.

  • #2
    Re: All domain admin accounts locked out

    Apologies - again. In my haste to get this fixed, I overlooked Petter's offline password editor which says it offers to unlock user accounts. Will give that a go and post back.

    Comment


    • #3
      Re: All domain admin accounts locked out

      Wow. Brilliant. All sorted following the instructions here: http://www.nobodix.org/seb/win2003_adminpass.html

      Many thanks for this very, very helpful forum - I'll be sure to RTFM properly next time.

      Apologies for the wasted posts. Please ignore, but I hope this helps someone else.

      Comment


      • #4
        Re: All domain admin accounts locked out

        Originally posted by purplebadger View Post
        What I believe has happened, is that when I tried to add the computer account using the domain's administrator account, authentication failed enough times to lock out the account
        This is worrying. I always understood one of the special properties of "The Administrator" account (as opposed to a common or garden domain admin) is that it can never be locked out, regardless of the number of failed attempts.

        Can anyone confirm or deny?
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: All domain admin accounts locked out

          I agree - but note that he did not say the account was locked out, just that he tried enough times that it would have locked out...


          Tom
          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

          Anything you say will be misquoted and used against you

          Comment


          • #6
            Re: All domain admin accounts locked out

            Good point, in fact the next para proves this.

            Too early in the morning for me to read properly!
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: All domain admin accounts locked out

              Hi guys,

              Yeah, I'm not positive the account *was* locked out. What I can say for sure is that running the PassRecovery method referenced below solved the problem; whether changing the password also unlocked the account, I can't say.

              However...something funny is definitely going on with SADMS. I know that's outwith the subject of these forums, but I've noticed today, that suddenly my user account - the one I used to join the domain from the Linux machine - is locked out again (fortunately this time I have the administrator account unlocked, as well as a backup domain admin account and an account specifically for joining this Ubuntu box, so no DR situation this time - like I said, you live and learn!).

              Now this suggests to me that the administrator account was indeed locked out, but if that's impossible as you say, I'm not sure what's going on.

              Anyway, I think the moral of the story is that you need more than a passing knowledge of Windows admin/networking to join a Linux machine to an AD domain! Also, hopefully anyone else that finds themselves with this problem and SADMS, will find this thread when they Google it!

              Cheers,

              Tom

              Comment


              • #8
                Re: All domain admin accounts locked out

                Excellent thread Tom and thanks for the updates. This will without a doubt help someone in the future who tries adding Ubuntu in a way I didn't think was possible. More bloody reading for me.....THANKS!!
                1 1 was a racehorse.
                2 2 was 1 2.
                1 1 1 1 race 1 day,
                2 2 1 1 2

                Comment


                • #9
                  Re: All domain admin accounts locked out

                  Originally posted by biggles77 View Post
                  Excellent thread Tom
                  Which one -- there are three in this thread!
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: All domain admin accounts locked out

                    Wonderful thread. Many thanks to all the Tom's (esp. the OP) as this is a tough topic without many successful solutions.

                    I hope we get some more posts from Tom (purplebadger). Do lurk on the site and participate.
                    Cheers,

                    Rick

                    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                    2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                    Comment


                    • #11
                      Re: All domain admin accounts locked out

                      Split to new thread:

                      http://forums.petri.com/showthread.php?p=95252
                      Cheers,

                      Rick

                      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                      2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                      Comment

                      Working...
                      X