Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 9039 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Management Host Service automatically changes Password

whykillme

Hello,

We are having problems with the "Sophos Management Host"  service.

I have searched everywere and am not able to find a solution.

Whenever we reboot the server, somehow, the password for the service changes. Meaning we have to manually edit the password to the user accounts password in the service.

The other services, using the exact same account work without any problems (sophos patch services).

Anyone has any idea what could automatically change the password for this service?

- Password never expires

- User cannot change password

Best Regards,

Martijn

:36057


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    In that case it's very odd behaviour indeed.  Is there any software on the computer that is involved with accounts?  

    I would suggest in the local security policy for the computer enable all auditing options for accounts and see if there are any clues in the Security event log after reproducing it.  

    The options are under:

    "\Security Settings\Local Policies\Audit Policy\"

    Also, Windows stores the password for service accounts under: HKLM\SECURITY\Policy\Secrets\_SC_[ServiceName] as a secret.

    You could maybe setup ProcessMonitor with a path rule to:

    HKLM\SECURITY\Policy\Secrets\_SC_

    Do you see a modification to the key at startup for example if you log boot/reproduce it?

    Regards,

    Jak

    :36085
Reply
  • 0

    Hi,

    In that case it's very odd behaviour indeed.  Is there any software on the computer that is involved with accounts?  

    I would suggest in the local security policy for the computer enable all auditing options for accounts and see if there are any clues in the Security event log after reproducing it.  

    The options are under:

    "\Security Settings\Local Policies\Audit Policy\"

    Also, Windows stores the password for service accounts under: HKLM\SECURITY\Policy\Secrets\_SC_[ServiceName] as a secret.

    You could maybe setup ProcessMonitor with a path rule to:

    HKLM\SECURITY\Policy\Secrets\_SC_

    Do you see a modification to the key at startup for example if you log boot/reproduce it?

    Regards,

    Jak

    :36085
Children
No Data
Unfiltered HTML