GET-IT: TEAMS DAY | 1-Day Free Virtual Conference all about Teams. Here on - 8/12/20 GET-IT: TEAMS DAY - 8/12/20

All domain admin accounts locked out

Home Forums Security Forgot Administrator Password All domain admin accounts locked out

Viewing 1 post (of 1 total)
  • Author
  • Avatar


    I should prefix this post by noting that I fully accept I’m a moron, and apologise in advance for my sheer ineptitude, but I’d be extremely grateful for any advice.

    Basically, the scenario is that both domain admin accounts on my small domain have been locked out/had their passwords reset, and my question is, will any of the utilities/methods for resetting the password via DSRM also *unlock* the account, if that is indeed its state?

    The background to this is rather embarrassing. I’ve been trying to add an Ubuntu server as an AD member server using SADMS. For those unfamiliar with the SADMS tool, it allows SSO between Windows AD boxes and Linux machines (i.e. it creates computer accounts on the domain for Linux machines, and allows AD users to sign on to Linux machines as they would on any other machine).

    What I believe has happened, is that when I tried to add the computer account using the domain’s administrator account, authentication failed enough times to lock out the account, so I used my user account (which despite all the recommendations to the contrary) is also a domain admin account. The domain membership request succeeded (i.e. a computer account created on the domain for the Linux machine, and I was able to log on to the box using an AD account). However, at some stage after this, Samba, or Winbind, or some other Linux tool has repeatedly tried to log on using my domain admin account, and it has trigged the AD lock account GPO for unsuccessful logins.

    Interestingly, when I try and logon to the machine, it doesn’t tell me that the account is locked out; it warns that the username/password was not recognised; the usual dialog you get when you try to logon with invalid credentials or when the account is not recognised on the domain. I’d have thought if the account was *locked* it would tell me that, rather than using a vague error message though.

    Regardless, I can boot into DRMS as the local administrator, and I’m happy to give one of the password reset tools a go, but my question is, if the account is locked, will using one of the tools also unlock the account, or just change the password? Or does the act of changing the password also *unlock* the account?

    Any advice gratefully received. I appreciate completely how stupid of me it was to try this without having an account dedicated for recovery from this sort of situation, but well, you live and learn.



Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.