RE: Locked out local admin accounts...

["Dinis Cruz" <dinis () ddplus net>]

RSoP = Result Set of Policy
GPMC = Group Policy Management Console (see
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-
9272-dd3cbfc81887&displaylang=en)

Man, if you are managing a Windows domain without the GPMC you are MAD! 

The GPMC is one of the best tools that Microsoft has produced in a long time
and it has been a life saviour in all AD projects that I have participated.

You will need 1 windows XP computer (or Virtual PC) to install it since it
doesn't work on windows 2000 (but don't worry, it will work perfectly with a
windows 2000 domain).

If you don't have windows XP in your environment BUY ONE licence. Just the
use that you will get from the GPMC will make it worth it (buy a laptop that
comes with it installed).

Just to make sure that you are convinced; here is what you can do with the
GPMC that you cannot do (easily or at all) with windows 2000 tools:

 - Map in a nice tree all GPOs that exist and where they are applied
 - Create nice reports with individual GPO settings
 - Create nice reports with the GPOs (both machine and user) that are
applied to a particular computer or server
 - troubleshoot GPOs issues
 - Simulate what would happen if a GPO where applied in a particular OU
 - BACKUP all your GPOs
 - BACKUP individual GPOs
 - RESTORE all GPOs
 - RESTORE individual GPOs
 - easily import/export GPOs from one domain to another (for example from a
'test environment' to a 'live environment')
 - Script all of the above!

Hope this helps

Best regards

Dinis Cruz
.Net Security Consultant
DDPlus

> -----Original Message-----
> From: Ryan Murphy [mailto:RMurphy () irvinecompany com]
> Sent: 12 August 2004 23:24
> To: 'Dinis Cruz'
> Subject: RE: Locked out local admin accounts...
>
> I'm sorry. I don't know all those acronyms. GPO = Group Policy ?
>
> RSoP = ?
> GPMC = ?
>
> We don't have any XP computers in our environment, so I'm not sure I'll be
> able to use the GPMC. It's also intersting that the local admin accounts
> aren't getting locked on all machines, only select ones, albeit in large
> numbers.
>
> Thanks for your help,
>
> Ryan
>
> -----Original Message-----
> From: Dinis Cruz [mailto:dinis () ddplus net]
> Sent: Thursday, August 12, 2004 4:04 PM
> To: 'Ryan Murphy'; security-basics () securityfocus com
> Subject: RE: Locked out local admin accounts...
>
>
> That sounds like a GPO problem since there is one setting which disables
> the
> local administrator account.
>
> Do some RSoP analysis on the affected computers using the GPMC (you will
> need a XP box to run it)
>
> Dinis
>
> > -----Original Message-----
> > From: Ryan Murphy [mailto:RMurphy () irvinecompany com]
> > Sent: 11 August 2004 22:22
> > To: 'security-basics () securityfocus com'
> > Subject: Locked out local admin accounts...
> >
> > In our environment today, local administrator accounts on workstations
> and
> > servers have been getting locked out at an alarming rate. Nothing crazy
> is
> > standing out on the IDS, and the security logs on the machines that are
> > having the administrator account locked out aren't showing any login
> > attempts. What could be going on here? We're a Win2000 environment, and
> > domain accounts seem to be unaffected, it's only the local administrator
> > accounts that are getting locked.
> >
> > This is very bizarre.
> >
> > Thanks for your help,
> >
> > Ryan Murphy
> >
> >
> >
> > =============================
> > Notice to recipient:  This e-mail is meant for only the intended
> recipient
> > of the transmission, and may be a confidential communication or a
> > communication privileged by law.  If you received this e-mail in error,
> > any
> > review, use, dissemination, distribution, or copying of this e-mail is
> > strictly prohibited.  Please notify us immediately of the error by
> return
> > e-mail and please delete this message from your system.  Thank you in
> > advance for your cooperation.
> >
> > ------------------------------------------------------------------------
> --
> > -
> > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
> off
> > any course! All of our class sizes are guaranteed to be 10 students or
> > less
> > to facilitate one-on-one interaction with one of our expert instructors.
> > Attend a course taught by an expert instructor with years of in-the-
> field
> > pen testing experience in our state of the art hacking lab. Master the
> > skills
> > of an Ethical Hacker to better assess the security of your organization.
> > Visit us at:
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > ------------------------------------------------------------------------
> --
> > --
>
>
>
>
> =============================
> Notice to recipient:  This e-mail is meant for only the intended recipient
> of the transmission, and may be a confidential communication or a
> communication privileged by law.  If you received this e-mail in error,
> any
> review, use, dissemination, distribution, or copying of this e-mail is
> strictly prohibited.  Please notify us immediately of the error by return
> e-mail and please delete this message from your system.  Thank you in
> advance for your cooperation.



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------