Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 9516 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos AD Account Locking....Why cant Sophos fix this !!!!

Nightwing2099

I have over 3000 users, I am using domain account to install Sophos endpoint 10.X Clients on Windows Machine. 

 

After a while AD locks, why, how to fix permanetly !!



This thread was automatically locked due to age.
  • 0

    Hello Nightwing2099,

    are you referring to the updating account (AKA SUM Account)? How long is After a while?

    Accounts are locked out when an incorrect password is used. Endpoints get the password in the updating policy (I assume you're talking about the on-premise managed SESC) so they should use the correct one.
    Did you ever change the account's password? Then it could be an endpoint that has not received the correct policy. If endpoints update over UNC then the Windows Event Log should help to identify the offending endpoint(s), in case of HTTP the webserver logs should have the required information.

    Christian

  • 0

    I had a similar issue a while ago and used the following tool to diagnose what was going on:

    http://serverfault.com/questions/277790/how-can-i-find-out-why-specific-ad-accounts-are-being-locked-daily

    install lockoutstatus.msi

    open Command prompt and type:

    • CD C:\Program Files (x86)\Windows Resource Kits\Tools

    Use the following command:

    • lockoutstatus.exe -u:[domain]\[Username]

    On the relevant DC highlighted in the report "Last Bad Pwd" column, check the security event logs filtering on 4740 and this give you the machine name that you are locking out on.

    In my instance someone had run a batch file that had a misconfigured account which caused the underlying issues.

     

    Best of luck sorting out the RCA though

  • 0 in reply to QC

    The fault is with an Incorrect password, but this happens from the Sophos End.  No passwords have been changed. This is a Sophos Fault.     

  • 0 in reply to Nightwing2099

    Hello Nightwing2099,

    this happens from the Sophos End [...] This is a Sophos Fault
    what evidence do you have to substantiate this statement? Did you correlate the bad password security events with AutoUpdate activity (failed downloads) on the allegedly guilty endpoints?
    A changed password is just one possible reason. As said, the password is set in the policy, endpoints receive the (obfuscated) password with the policy from the management server - and all endpoints receive the same password. If it were a general problem you'd have the account locked out (assuming your security policy doesn't permit hundreds of incorrect passwords before the lockout) within seconds. Furthermore you'd see that all endpoints failed to update (or that at least show an updating error if they succeed using the Secondary location). 

    Just repeating This is a Sophos Fault won't resolve the problem.

    Christian     

  • 0 in reply to QC

    I will go through, all the logs and endpoints, also I will check obfuscated passwords.

     

    Regards

     

  • 0 in reply to Nightwing2099

    Hello Nightwing2099,

    I'd start with the Security Event log (server hosting the CIDs and AD). Unless auditing of these events is suppressed (in this case you'd have to turn it on) it should identify the endpoint(s) causing the problem. Next step is to verify (with the AutoUpdate log) that indeed update attempts are the cause, and if so whether the endpoint complies with the Updating Policy or not.
    Checking the obfuscated passwords on several thousand endpoints is likely not productive.

    Christian 

Unfiltered HTML