View AD account lock from Conficker worm

Asukas Blog

Today, two weeks ago, I was away from HOL. My colleague called me and said that many users in the Organization reported that their accounts were locked, originally, the account in AD was locked after three wrong inputs. Some users occasionally reported that the account was locked, but the account was locked on a large scale. I think there must be a problem.

When I came back, I looked at the Log, a lot of logs, that is, I guess the password, I suspect there is a hacker attack, and then I unplugged the optical fiber of the main error CIDR block, as a result, 675 of the logs are not found and the account is automatically unlocked, which is probably a worm.

I searched the internet and found a worm like ---- Downadup. This worm has a better name ---Conficker

Microsoft also released a special page on this worm yesterday.

Http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

After knowing the reason, the next step is very simple. Hand it to the network administrators of various departments:

1. install the latest patch without network Leakage

2. Symantec exclusive was used. Symantec engineers informed me yesterday that a new version was released.

Http://www.symantec.com/security_response/writeup.jsp? Docid = 2009-011316-0247-99

3. Update Symantec SAV of the enterprise client to the latest version without network leakage. In fact, it is automatically updated at ordinary times, but some clients still have problems.

4. Enable the USB flash drive of 360 security guard

Now the worm is basically under control.

Then, I thought of a white paper about locking an AD account, which I have never read before ,:

Http://www.microsoft.com/downloads/details.aspx? FamilyID = 8C8E0D90-A13B-4977-A4FC-3E2B67E3748E & displaylang = en

This section describes various error logs and finally recommends several Microsoft gadgets for troubleshooting of AD account locking.

I have summarized the following:

First, enable review in the Group Policy: Account Logon Events. If you need to view it on the DC, edit the DC policy.

Log Analysis

675: Incorrect password

672: enter an incorrect user name

644: Lock the account (note that the Type is successful)

671: Unlock an account

2. Tools

LockoutStatus.exe

Quick Search for User Account Status in AD

ALockout. dll Tool

Analyze which Process causes the account to be locked

ALoInfo.exe

View the account status on a computer

AcctInfo. dll

Expand the tag to view the Account Status

EventCombMT.exe

Collects various logs of computers in AD

Find a comprehensive application article:

Diagnose the cause of Account Lockout

Http://hi.baidu.com/hnwyh520/blog/item/83296788b6563292a4c272b8.html

Finally, I thought that in the process of solving the problem, my colleague asked me, what should I do if the password of the AD administrator is forgotten? I said I could use a tool to restore it, this tool is a WinPE-based password recovery tool developed by my brother Luo.

: Html href = "http://www.mcse.org.cn/showtopic-9738.html">Http://www.mcse.org.cn/showtopic-9738.html