This happened as an accident in our sandbox environment so no harm was done. I can also always just delete everything and install anew. But I take it as a learning opportunity, so I wonder if anyone knows a way out of this...
I am up for any kind of witchery. :)
We have two DCs in our AD domain domain.tld and we use LDAP interface to manage accounts in the directory tree. By accident, we ran a batch job from external application that took every object in the AD resembling an user and set its userAccountControl to 514 (locked).
The LDAP base for operation was dc=domain,dc=tld with subtree scope -> effectively: every object in the AD.
I suspect (do not know for sure) the filter for recognizing objects was objectclass=person.
The operation was run under Administrator user.
First problem we discovered was that logging to Administrator no longer worked. No wonder here, the account was blocked.
I booted into safe mode, ran net user Administrator /active:yes to unlock the account and rebooted.
(On the second try, I also added net user Administrator * and set a new password. This did not make a difference in what happened next.)
On the login screen, when I tried to log under Administrator, I logged in with his correct password. The system asked for new password and it seems it successfully changed it.
Upon next login attempt (with freshly-set password), this message pops out:The security database on the server does not have a computer account for this workstation trust.
However, when the password is incorrect, the system rightly complains that Username or password is invalid. (or whatever the message is). When I provide correct password, I face the The security database on the server does not have a computer account for this workstation trust..
I also found some other admin account that was in the AD and results are the same, so this does not affect only the Administrator.
I suspect this has something to do with computer entry of the DC inside the directory tree. If this entry is also locked with userAccountControl=514... is that possible?
Or could it be something else?
How to diagnose and recover?
Win 2k12 R2, Active Directory with Certificate Services. Clean install with defaults, no GPOs or whatnot.
(Also, no backups available because sandbox. Only thing I have is a virtual machine snapshot of the broken domain, working safe mode, and installation DVD of Windows.)
Thanks for the ideas. :))