| Microsoft ALTools suite - Installation and Usage methods |
|
|
| Written by Richard Thompson, Wednesday, 18 October 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Microsoft.com hosts a Toolset call the Account Lockout and Management Tools set. This toolset consists of the following items: AcctInfo.dll ALockOut.dll EventCombMT.exe LockOutStatus.exe This article will go through using these tools and show you some of the information which is not normally displayed. For a start you will need to download the ALTools suite from the Microsoft Website. I would recommend browsing to Microsoft.com and doing a search for ALTools. You should receive a few results, just make sure you go to the download link and not the Support documents which merely mention the Pack. Once you’ve downloaded the pack execute it. An auto extractor will extract the files to a folder of your choosing.I will start with AcctInfo.dll and work my way through. AcctInfo.dll This dll should be installed on an Administrators workstation in conjunction with the Microsoft Windows 2003 Adminpak. To start with copy the AcctInfo.dll file from the extracted folder to %windir%\System32 Once the dll is in the System32 directory you can execute the command: regsvr32.exe AcctInfo.dll This should return a message reporting that the dll has been successfully registered. I would also recommend copying the LockOutStatus.exe file into the %windir%\System32 folder now. Doing this will allow you to fully utilize AcctInfo.dll. Now launch Active Directory Users and Computers, browse through the structure for a specific user account, double click the account and you will see an additional tab called Additional Account Info. This is thanks to the dll you have just installed. The great thing about this dll is it allows you to see when the user last changed their password, when their last logon event occurred, the number of times that the user has logged on as well as the last Bad logon. Additional information also lists the users SID which can be useful when trying to find a specific setting in the users registry hive, etc. I have found that since installing the dll I use it pretty often and for me, a great find. ALockOut.dll As a system administrator you no doubt will have set a policy on your domain which locks out user accounts after a given number of invalid logon attempts which leaves the user with a message saying that their account has been locked out. Occasionally you get accounts that get locked without the user entering a password or anything. Most often these events occur soon after a password reset and most often it is because the user has saved a username and password somewhere and then they try access the resource and it locks the account. Normally your helpdesk will disconnect all their network drives, delete saved passwords in Windows and in Internet Explorer and failing that will log a call for the System Administrator to investigate. This dll gives you the opportunity to throw it back to the helpdesk or pc support teams and get them to do some work for once. I would say 9.99…times out of 10 the problem is client side because as a System Administrator we are constantly checking our systems for errors whereas desktops are just left to run. This dll will output system activity to a log file and you will be able to trace down invalid passwords, etc which are entered and then rectify the error. Within the ALTools suite you will find 2 versions of the application. One for Windows XP called ALockOutXP.zip and another called ALockOut.zip. To install the application select the correct version based on the client OS. Extract the ALockOut.dll file to the %windir%\System32 directory. Once this is done run the supplied registry file. This will merge the data from the reg file into the systems registry. All that remains is for the client machine to be rebooted and the ALockOut.dll is activated. This file does log a lot of junk, but you will quickly identify the cause of the lock outs. To uninstall the dll file you need to edit the system registry by running the regedit command. Locate the following key: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] And then deleting the AppInit_DLLs key. EventCombMT.exe This is another application that you will install on your System Administrators machine. Installation is very simple. Copy the file to the installation directory of your choice and make a shortcut to the exe. Done! The application provides a quick and efficient way of searching through the event logs on selected domain controllers based on criteria selected. Eg: I want to search all my domain controllers for events where the username RichardT has failed to logon. I launch EventCombNT.exe, type the correct domain name in the Domain field in this case Test.domain.com I then right click in the Select to search block and select the appropriate options. In this example I want to search all domain controllers in the Test domain so I select Get DC’s in domain. This setting is optional and may vary based on your domain configuration.
In most instances one of those 3 options will fit your requirements. Now select the servers listed in the block which you would like to search. In this case searching the domain controllers will display my failed logon attempt. So I select my local domain controller. Next select the Log files to search. I know that this will be displayed in the Security log, so I select only security. Just below is a field called Event Types, I know a failed logon will be a failure Audit alert so I select Failure Audit and deselect all other blocks. Just below this you will see a field named Text. In this field I will type something to narrow down the search criteria. For this example I am searching for failed attempts made by RichardT so I type the userid into the text field. If you knew the exact event id you could enter this in the Event ID’s fields. All in all these are very simple software products but they will make your life a little easier. Use them or don’t use them, your choice. Datacrash.net cannot be help liable for any damage caused to your system as a result of editing the system registry.
Powered by JoomlaCommentCopyright (C) 2006 Frantisek Hliva. All rights reserved.Homepage: http://cavo.co.nr/ |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| < Prev | Next > |
|---|
|