We had an instance yesterday where approximately 130 of our well over 5,000 user objects suddenly became corrupted. Every attribute you can possible set with the exception of sAMAccountName
and cn
were wiped clean including their password despite policy forbidding anything less than 8 characters. The modified timestamps were all seconds apart from one another. Their accounts were also disabled. I suspect because of the blanking of the password. When we went to re-enable the accounts, we would get an error saying the password did not meet requirements. So, we had to reset all of their passwords. The accounts were also unlinked from their Exchange mailbox and we had to re-connect them. Even all of their group memberships were removed.
Something odd we noticed is that all of them were, when sorted alphabetically by cn
, among the first one to three users within their OU container. Beyond that, no patterns were noticed.
Initially, I thought this might have been caused by someone writing a script and screwing up. But, the fact the passwords were set to blanks leads me to believe that couldn't have been done via a script.
Unfortunately, for reasons I won't go into we did not have auditing turned on.
Has anyone seen this before? Do you know what might have caused it?
This sounds like someone or something deleted the accounts, and then restored them. (Picture an admin saying "oh shit" - we've all been there.) This is the same kind of behavior you'd see when you restore/reanimate objects that have been deleted, back in the old days before the AD Recycle Bin. The object is restored with a blanked password and is disabled as a result, and most of the attributes and group memberships are lost.
Check Security event logs on your DCs if you have auditing enabled. If you don't, check repadmin /showobjmeta.