MSUNAG Archives

MSUNAG Archives


View:

Next Message | Previous Message
Next in Topic | Previous in Topic
Next by Same Author | Previous by Same Author
Chronologically | Most Recent First
Proportional Font | Monospaced Font

Options:

Join or Leave MSUNAG
Reply | Post New Message
Search Archives


Subject:

Re: account lockup trouble

From:

Gordon Williams <[log in to unmask]>

Reply-To:

MSU Network Administrators Group <[log in to unmask]>

Date:

Mon, 11 Mar 2002 15:14:46 -0500

Content-Type:

text/plain

Parts/Attachments:
Parts/Attachments

text/plain (1 lines)


Thanks, Rob (and best wishes at U of M!).

Since the renamed admin acct was marked as being locked out, we had
not actually tried logging in AT THE CONSOLE with the original
(renamed) admin account (we had tried logging in locally with admin
accts that we had previously created).

This morning, I tried logging in at the console with the renamed
admin account and got in... even though it was "locked out" (so far
as net access was concerned). <whew>

We're back in to our 8 affected servers and have looked through the
security event logs. Previous attacks (last May) were
dictionary-based or (last Sept) simply rotated through every userid
on the system.

What was different about the March 8 attacks (compared with similar
ones on March 1-2) is that the March 8 attacks targeted ONLY
accounts that had higher privilege levels (backup, admin). The
March 8 attacks did not waste any resources on accounts with lower
privilege levels.

Gordon

-----
Rob Neary wrote:
>
> Sorry to get in on this discussion late...
>
> There is one account on all WinNT/2K/XP systems which can not be locked out.
> In the case of a stand-alone machine, its "The" admin account (typically
> called Administrator, and in the case of a Domain Controller (or Active
> Directory) it's the FIRST Admin account on the FIRST box in the Domain (PDC)
> or the first Admin account on the first DC you promote to an AD DC. I've
> attached an image of what this looks like in AD, and you can look for a
> description of "Built-in account for administering the computer/domain".
>
> Once you've identified this account, if you don't know what the password is,
> you can use a mildly expensive tool to boot to a CD, mount your NTFS
> partition, and reset the appropriate registry key:
>
> http://www.winternals.com/products/repairandrecovery/erdcommander2002.asp
>
> This tool will also let you list the accounts (in case you renamed it an/or
> don't know what it is called).
>
> Hope that helps - and if you're really in a pinch, let me know and I can help
> you with the ERD disc...
>
> Rob Neary
> Medical School Information Systems
> University of Michigan
> [log in to unmask]
>


Back to: Top of Message | Previous Page | Main MSUNAG Page

Permalink


LIST.MSU.EDU

CataList Email List Search Powered by the LISTSERV Email List Manager