This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos AD Account Locking....Why cant Sophos fix this !!!!

I have over 3000 users, I am using domain account to install Sophos endpoint 10.X Clients on Windows Machine. 

 

After a while AD locks, why, how to fix permanetly !!



This thread was automatically locked due to age.
Parents
  • Hello Nightwing2099,

    are you referring to the updating account (AKA SUM Account)? How long is After a while?

    Accounts are locked out when an incorrect password is used. Endpoints get the password in the updating policy (I assume you're talking about the on-premise managed SESC) so they should use the correct one.
    Did you ever change the account's password? Then it could be an endpoint that has not received the correct policy. If endpoints update over UNC then the Windows Event Log should help to identify the offending endpoint(s), in case of HTTP the webserver logs should have the required information.

    Christian

Reply
  • Hello Nightwing2099,

    are you referring to the updating account (AKA SUM Account)? How long is After a while?

    Accounts are locked out when an incorrect password is used. Endpoints get the password in the updating policy (I assume you're talking about the on-premise managed SESC) so they should use the correct one.
    Did you ever change the account's password? Then it could be an endpoint that has not received the correct policy. If endpoints update over UNC then the Windows Event Log should help to identify the offending endpoint(s), in case of HTTP the webserver logs should have the required information.

    Christian

Children
  • The fault is with an Incorrect password, but this happens from the Sophos End.  No passwords have been changed. This is a Sophos Fault.     

  • Hello Nightwing2099,

    this happens from the Sophos End [...] This is a Sophos Fault
    what evidence do you have to substantiate this statement? Did you correlate the bad password security events with AutoUpdate activity (failed downloads) on the allegedly guilty endpoints?
    A changed password is just one possible reason. As said, the password is set in the policy, endpoints receive the (obfuscated) password with the policy from the management server - and all endpoints receive the same password. If it were a general problem you'd have the account locked out (assuming your security policy doesn't permit hundreds of incorrect passwords before the lockout) within seconds. Furthermore you'd see that all endpoints failed to update (or that at least show an updating error if they succeed using the Secondary location). 

    Just repeating This is a Sophos Fault won't resolve the problem.

    Christian     

  • I will go through, all the logs and endpoints, also I will check obfuscated passwords.

     

    Regards

     

  • Hello Nightwing2099,

    I'd start with the Security Event log (server hosting the CIDs and AD). Unless auditing of these events is suppressed (in this case you'd have to turn it on) it should identify the endpoint(s) causing the problem. Next step is to verify (with the AutoUpdate log) that indeed update attempts are the cause, and if so whether the endpoint complies with the Updating Policy or not.
    Checking the obfuscated passwords on several thousand endpoints is likely not productive.

    Christian