Security Basics mailing list archives

Re: Account Lockout

From: Peter Rodger <prodger2008 () yahoo com>
Date: Tue, 19 Oct 2004 11:53:16 -0700 (PDT)

Thanks for your reply.  The problem resides in my
envir. We can not use domain admin account as these
group work in other clients' office and they are not
in my domain.  They need to unlock one share local
user account (local computer, not domain user account)
in case the account is locked out.  But, they are only
power users.

Can they (power user) unlock this local user account
(on each local computer)?

Thanks,

Peter


--- Kirk Schafer <infosec-capital () rainswept com>
wrote:

Peter,

Power Users probably isn't the way to go. Further,
"cusrmgr" is 
typically used to reset administrator accounts. If
making PU's work this 
way / breaking administrator is your specific goal,
this reply won't 
help you. That said, here are some thoughts on
unlocking a user:

Normally, you unlock by using the local
administrator, which cannot be 
locked out or deleted, but can be renamed. If by
"local user" you mean 
you're on a network, "domain admins" (etc) may be a
member of local 
computer admins. Thus, all that would be necessary
is to add a temporary 
administrator to the domain admins, and login
locally.

If you are using Windows XP, you may try
Ctrl-Alt-Delete on the welcome 
screen to obtain the administrator login. I forget
how this works on 
Home edition, but regardless, I do believe the
"administrator" account 
always shows as a possible login if you start in
safe mode.

Account lockouts are frequently not permanent (up to
70 days unless it's 
set to 0-requires admin). Simply waiting a certain
amount of time 
automatically unlocks the account in question.

Failing this, there are utilities that allow you to
create remote null 
sessions and view groups and users. This is helpful
if the account was 
renamed or there are other admins. A simple tool is
SuperScan4 by 
Foundstone (http://www.foundstone.com), but won't
help through 
firewalls. Expert options available to you include
resetting the account 
outside of the OS, recreating the SAM, and other
dirty tricks you can 
find with just a bit of Googling.

Best,
Kirk

Peter Rodger wrote:

Hi, all

Can power user unlock the local user account?
I tried cusrmgr utility to write bat file but it

still

needs local admin rights.

Does anybody know how to make power user to unlock

the

local user account?

Thanks,

Peter

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam

protection around

http://mail.yahoo.com



-- 
___________________________________________________
Kirk Schafer

Infosec Capital - Your Information Security Asset
308 East Broadway Ave, PO Box 1851
Fairfield, IA 52556
641-919-1783 (mobile)

http://www.infosec-capital.com




                
_______________________________
Do you Yahoo!?
Express yourself with Y! Messenger! Free. Download now. 
http://messenger.yahoo.com

Current thread:

Account Lockout Peter Rodger (Oct 18)
- <Possible follow-ups>
- RE: Account Lockout Dubber, Drew B (Oct 19)
- Re: Account Lockout Peter Rodger (Oct 20)
  - Re: Account Lockout Kirk Schafer (Oct 20)