RE: Locked out users

From: Colin Stefani (cstefani@tideworks.com)
Date: 09/14/01


Message-ID: <DBC363EA37C5D311823A00508BCF2A6A07276F5D@seamail.ssofa.com>
From: Colin Stefani <cstefani@tideworks.com>
To: 'Erik Birkholz' <erik@foundstone.com>, "'Thor@HammerofGod.com'" <Thor@HammerofGod.com>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Subject: RE: Locked out users
Date: Thu, 13 Sep 2001 15:01:43 -0700

Ok, ok, I know, now I feel like a total TOOL!! I apologize everyone for
setting off all the alarms, my mailbox filled up too (stupid, stupid,
stupid)...It's not really my day (or week). My mind isn't really working
(but who's is these days).

Anyway, I'm glad to see that everyone's virus scanners are working, and
could this possibly a way to discover interesting information about peoples
Exchange sites? Hmmmmm.....

Anyway, I posted the script on my personal site which is here:

http://www.seanet.com/~silversurf/downloads/lockchk.zip

ADSI can be downloaded from here for those who need it:

http://www.microsoft.com/ntworkstation/downloads/Other/ADSI25.asp

WSH (recent versions) can be had here:

http://www.microsoft.com/msdownload/vbscript/scripting.asp

That should do it.

Colin

-----Original Message-----
From: Erik Birkholz [mailto:erik@foundstone.com]
Sent: Thursday, September 13, 2001 2:51 PM
To: 'Colin Stefani'; 'Thor@HammerofGod.com'; 'focus-ms@securityfocus.com'
Subject: RE: Locked out users

This is SO funny! Nice work Colin ;)

Every anti-virus software replied I got like 43 emails.

They all give up cool data. check these out.... random selections!

Erik B

**
The message, "RE: Locked out users", was
sent from Colin Stefani and was discovered in IMC Queues\Inbound
located at Distrivision/NORTHAMERICA/C1PLENAEXI02.
**
The message, "Locked out users", was
sent from Colin Stefani and was discovered in Chris Davis\Inbox
located at ComputerJobs.Com/CORPORATE/EXCHANGE1.
**
The message, "RE: Locked out users", was
sent from Colin Stefani and was discovered in IMC Queues\Inbound
located at Ecom/Dallas/DOROTHY.
**
The message, "RE: Locked out users", was
sent from Colin Stefani and was discovered in IMC Queues\Inbound
located at LOGISOFT/ROC1/LGST-ROC1-EXCH1.
**
The message, "Locked out users", was
sent from Colin Stefani and was discovered in Björn Patrick
Swift\Inbox\Mailing Lists\Focus-MS
located at Mail/LAUGARVEGUR_26/EXCHANGE
**
For information on how to receive the
file please contact the Client Service Center, x5555.the following files
could not be deleted:
**
he message, "RE: Locked out users", was
sent from Colin Stefani and was discovered in IMC Queues\Inbound
located at SYNTEGRA/SYNTEGRAUK/FL-EXCHANGE-01.
**

-----Original Message-----
From: Colin Stefani [mailto:cstefani@tideworks.com]
Sent: Thursday, September 13, 2001 2:25 PM
To: 'Thor@HammerofGod.com'; 'erik@foundstone.com'; 'ahbh99@yahoo.com';
'focus-ms@securityfocus.com'
Subject: RE: Locked out users

Sorry forgot the script (stupid send button :-):

It is attached in ZIP file.

-colin

-----Original Message-----
From: Colin Stefani
Sent: Thursday, September 13, 2001 2:23 PM
To: 'Thor@HammerofGod.com'; erik@foundstone.com; ahbh99@yahoo.com;
focus-ms@securityfocus.com
Subject: RE: Locked out users

Funny thing is that I am working on a migration from NT to 2k and I wrote
some scripts to monitor things, so here's a VBScript using adsi (run it from
2k (pro or server, doesn't matter) for best results, I haven't tested it on
NT):

Run it like so:

C:\<path to script>\> Cscript wholocked.vbs <computer or domain name>

-colin

-----------------------
script:

-----Original Message-----
From: Thor@HammerofGod.com [mailto:Thor@HammerofGod.com]
Sent: Thursday, September 13, 2001 11:57 AM
To: erik@foundstone.com; ahbh99@yahoo.com; focus-ms@securityfocus.com
Subject: Re: Locked out users

UserDump, available at www.hammerofgod.com, will dump all users, with all
attributes, including account status. You would have to redirect to a text
file and search for "account locked out", but it would certainly work.

I'm *sure* Erik meant to mention that one in his email as well... :)

AD

----- Original Message -----
From: "Erik Birkholz" <erik@foundstone.com>
To: "'haji din'" <ahbh99@yahoo.com>; <focus-ms@securityfocus.com>
Sent: Thursday, September 13, 2001 9:32 AM
Subject: RE: Locked out users

> www.somarsoft.com
>
> DumpSec, User report
>
>
>
> -----Original Message-----
> From: haji din [mailto:ahbh99@yahoo.com]
> Sent: Wednesday, September 12, 2001 8:18 PM
> To: focus-ms@securityfocus.com
> Subject: Locked out users
>
>
> Hi lists,
>
> Is there a tool or command line that lists "account
> locked out" like rasusers.exe which lists remote
> access users on Nt Server 4.0.
>
> Thanks.
>
> __________________________________________________
> Terrorist Attacks on U.S. - How can you help?
> Donate cash, emergency relief information
> http://dailynews.yahoo.com/fc/US/Emergency_Information/