Recently had a very interesting challenge with an Active Directory network that had been infected with the Conficker worm (virus) in a big way - all domain accounts were locked out, and the domain Administrator account had previously been renamed and disabled. In short, nobody could log in; even Administrators.

We resolved this by pulling a domain controller off the network and working on it in a disconnected state. We used some tools and registry changes to create a special Windows service that could then re-enable a known and disabled Service Account with domain admin privileges. Following this, access to AD was available, and manual administration could be carried out to manipulate all domain administrator accounts to restore control of the environment.

Finally, the DC was reconnected and AD replication allowed to do it's thing. There was still some mop-up to do, but things were back up and running quickly enough that interruption to users was minimised.