I have over 3000 users, I am using domain account to install Sophos endpoint 10.X Clients on Windows Machine.
After a while AD locks, why, how to fix permanetly !!
This thread was automatically locked due to age.
I have over 3000 users, I am using domain account to install Sophos endpoint 10.X Clients on Windows Machine.
After a while AD locks, why, how to fix permanetly !!
Hello Nightwing2099,
are you referring to the updating account (AKA SUM Account)? How long is After a while?
Accounts are locked out when an incorrect password is used. Endpoints get the password in the updating policy (I assume you're talking about the on-premise managed SESC) so they should use the correct one.
Did you ever change the account's password? Then it could be an endpoint that has not received the correct policy. If endpoints update over UNC then the Windows Event Log should help to identify the offending endpoint(s), in case of HTTP the webserver logs should have the required information.
Christian
I had a similar issue a while ago and used the following tool to diagnose what was going on:
install lockoutstatus.msi
open Command prompt and type:
CD C:\Program Files (x86)\Windows Resource Kits\Tools
Use the following command:
lockoutstatus.exe -u:[domain]\[Username]
On the relevant DC highlighted in the report "Last Bad Pwd" column, check the security event logs filtering on 4740 and this give you the machine name that you are locking out on.
In my instance someone had run a batch file that had a misconfigured account which caused the underlying issues.
Best of luck sorting out the RCA though
Hello Nightwing2099,
this happens from the Sophos End [...] This is a Sophos Fault
what evidence do you have to substantiate this statement? Did you correlate the bad password security events with AutoUpdate activity (failed downloads) on the allegedly guilty endpoints?
A changed password is just one possible reason. As said, the password is set in the policy, endpoints receive the (obfuscated) password with the policy from the management server - and all endpoints receive the same password. If it were a general problem you'd have the account locked out (assuming your security policy doesn't permit hundreds of incorrect passwords before the lockout) within seconds. Furthermore you'd see that all endpoints failed to update (or that at least show an updating error if they succeed using the Secondary location).
Just repeating This is a Sophos Fault won't resolve the problem.
Christian
Hello Nightwing2099,
I'd start with the Security Event log (server hosting the CIDs and AD). Unless auditing of these events is suppressed (in this case you'd have to turn it on) it should identify the endpoint(s) causing the problem. Next step is to verify (with the AutoUpdate log) that indeed update attempts are the cause, and if so whether the endpoint complies with the Updating Policy or not.
Checking the obfuscated passwords on several thousand endpoints is likely not productive.
Christian