hello hi everybody so just waiting to
see if this is streaming okay and my
dogs are trying to break down the door
because I locked them out because they
like the bark it well just about
anything all right yeah these step on
the screen call so today we're gonna
talk about well kind of two things but
they're related so we're gonna talk
about the unlock a t-account command lit
and PowerShell but to do that we're
gonna have to set out or lock out a
policy in our domain so that would be
the first thing we do is actually set
the policy typically it's not
recommended to mess too much with the
default domain policy within your domain
but I think that's what we're gonna do
because this isn't a real domain so so
normally what you would do is let's
first open the group policy so go to our
domain controller and I'm on DC to again
and I'm just gonna open up our group
policy so normally I would actually
recommend creating a new policy and
calling it your account policy or
whatever but for laziness I am going to
so you can actually see the settings
here so for laziness I'm gonna just use
the default domain but I want my
girlfriend's in here too so as you can
see it right now it's set for 0 invalid
logon attempts which means it's
basically set not to lock out so we're
gonna set it for 3 and so we'll go ahead
and do that I'll just right click here
and go edit and I have to follow it down
so computer configuration is there
policies right window settings just the
next thing security settings which is
right here and then account policies I
think it's this one and then the
password policy
and Oh
Paulo wasn't how the policy was actually
a count of lockout policy in my bed
sorry
so we're gonna go ahead and set this for
three though I probably said it a little
higher than a real domain I've been in
environments where they said it for
three and that's really easy to do so
they've gone ahead and said it so this
automatically sets it to account lockout
duration so you get three bad attempts
and then if you and then it'll
automatically unlock the account after
thirty minutes and reset the account
after and reset the counter after thirty
minutes so after the last logon bad
logon attempt within that thirty minutes
is when it'll or when it'll start that
30-minute timer so anyways I'm gonna
click OK here and now only do is go back
to our hyper-v and we'll start up the
Windows 10 Enterprise machine and while
that's booting up we'll go back to our
domain controller and we need to find a
user that we can lock out that isn't
locked out let's go find that so let's
just go to type directory here so we'll
go to a doc active directory
[Music]
active type today
all right so we need a user and doesn't
really matter which one I'm not gonna
use the domain admins as an example
because I don't want to loops there are
people actually cuz I don't want to but
I just want something easy to spell this
looks pretty easy to spell key oh sure
so that looks like a good account so
what I'm gonna do is actually just do it
ctrl R and then so I just have it there
and let's see is this don't I started
this up I guess I didn't so let's wait
for the windows 10 machine so what's
gonna happen is we're gonna should be
able to and actually that's a good time
so we'll make sure that a keyed out here
isn't locked out
because we do it kind of fast actually
so let's just do a quick look at get
eighty user will do it key oh sure right
so they're enabled so that's good and
and if we actually look at the account
double click here and we can see that
the account is not locked out if it's
locked out and you'll see in here in a
minute there'll be a lot more text so
we'll just leave it at that so let's
cancel Okita there let's try logging
into our pain here I'm sure that looks
good I just get that up so I can see it
and we're gonna say other user I don't
know if I can paste that in nope hey Kay
oh Sh doesn't matter I'm just typing
some gibberish in here oh and we're
gonna do it again this will be the
second bad password and then the third
and then I think we put it in again we
should say locked out nope doesn't tell
me like that alright well let's look and
see if if the accounts locked out it
should be so key assure is not locked
out
hmm what's that password let's just take
another quick look I'm gonna connect it
up DC one just to make sure
[Music]
let's just did that's why actually be
faster find Nate we go dig unless we
just weren't quite connected the domain
yet let's try it a couple more times so
we out there goes the one locked out I
get betting the first lock on our to was
not maybe the computer was not connected
to the network now we should see in DC
to hear let's do a quick fine just to
refresh yep there it is
so I think either the policy hadn't
fully come down or I just went too fast
cause it may not a replicated between
both domain controllers anyways you can
see that computers now or that accounts
now locked out so if I just do an unlock
so we'll do an unlock yeah that is
enough to unlock the account so I'm just
gonna do a fine now to do it and then
yep so now it's not locked again so now
we just have the normal text so that's
that's basically how the unlock eighty
it's pretty I don't know what properties
let's see what properties are here
what if confirm off type credential
identity partition nothing nothing that
interesting is here so I did run into
this one time where I had a executive
who this was at a previous job not the
printer job but in my last job and
basically they had just changed their
password and then went out business trip
but they forgot to changed on I think it
was an iPad or something back at their
house and they weren't married they
didn't have anybody that you'd get to
the house and sort of either shut the
device off or or whatever so what
happened was every time that device
tried to check in for email or whatever
kept lock in their account and it was
doing it like every five or ten minutes
so you know this executive was across
the country couldn't deal with that so
what we ended up doing was I ran a a
while script on our server and Rand
every 5 or 10 seconds I liked that so
basically I did a while so first one I
did was I said X is equal to zero and
then we did a while let's say X is not
equal to zero are not equal to 1 try
that again hit the arrow button so while
little brackets and then X is not equal
to 1 and do this and then what I did was
I ran come on
I ran the unlock - a t-account and then
in this case we'll just do this a cure
person pretending that's them and what
that was doing was and actually what I
did was then I did to the other things
so that I put a sleep good Margaret
that's run like every second sleep well
actually it's just technically a start
sleep every 10 seconds and I just did a
and then I did a write that post and
then I just said and then I just
actually just did a just do it get paid
here and that way we know that at least
we're in Germany so I think that's it
it's not if you can see all that we just
can't extend the screen a little bit
there we go so in theory I think that
we'll write out the date every ten
seconds let's see if it does it and then
I'm gonna there yeah so if we wait so
it's four thirty four or fifteen and
then another so the next one should be
25 and that way I could at least see
that the yeah so it's running every 10
seconds so just to prove it there's five
and then we have another ten seconds
should be 35 and so with that running
was let's go ahead and try to walk out
this account but I think it's gonna be
in here impossible where's our Windows
10 machine so connect just so I can get
their name again
so other user AI que dou Shi bar ZBrush
2 3
so yeah it's it's almost impossible to
lock this out and while this was running
and again this isn't like safety and
security why this isn't great sometimes
sometimes politics Trump security
usually and common sense you know
executives always Trump common sense so
anyways that's a quick little dirty
script if you ever need to get out of a
bind with your executive and just a
quick show out how the unlock works oh
so theoretically this should not be
locked because it runs every that's a
lot and should be unlocked here in a
second wait for it to go again oh there
we go think I accidentally pause the
script there we go
yep so every time that runs is just
gonna clear it so that's that's
basically the gist of this so it's a
little different I'll go ahead and put
this little piece here and I'll replace
the secure person with just a dollar
with the dollar user so I'll put that in
the notes that way you guys can copy it
out if you ever get in the bind like
that it is worth running you know
sometimes it's just about getting them
off your back and and the other part of
that was once they got back into town
then they forgot they even had their
their iPad was still doing the thing but
I decided we'll follow up with them and
then remind remind them it was like oh
yeah yeah let me make me look at that
and oh you know you know those people
are interesting to deal with it the
least anyways and then you can just do a
simple control see a couple times and
that'll break the break it anyways I hit
a pause that's I think I accidentally
pause the script so that's why you get
these times get a little weird but it
doesn't matter you know it's again it's
running every 10 seconds or so
so anyways hope you guys had a good
weekend and
until next time bye