J
JasonTappen
Guest
Ok, in our company we have aprox 1400 employees..
We have multiple Domain Controllers, and 1 Primary Domain... as well as exchange & Lync server and multiple locations with shares and etc..
We also run through Iprism web filter, that requires a user to go to a site like google.com etc.. to get authenticated etc.. before regular web browsing will work etc..
We have windows 7 32 bit & 64 mixed in the environment (no XP machines)
Also through GP we have 10 invalid login attempts will lock the user AD account... also require password change every 45 days
We have been (for about 2 or 3 months now) seeing a higher than normal amount of accounts getting locked for what seems to be no reason.. we have Netwrix Acocunt Lock Examiner installed, which tells us what PC the lock is happing at, and what DC is reporting the wrong passwords etc.. but does not tell us what item is causing it.. especially when the user is doing nothing but regular work and is not entering their password in anything.. also when we search logs etc.. there is nothing substantial, no saved credentials, no scheduled tasks, mapped drives are set with GP no by local user..
We are at our wits end on this...
in our whole company it seems that we have about 8 people that are locked almost everyday (and most do not have mobile devices with E-mail either)
The pc's have having the issue seem to have 2 things in common..
1. they all seem to have Office 2013
2. the all have a program installed called ADP (or CDK) an automotive industry program
Most computers are imaged through our Fog server...
Windows updates are pushed out through Wsus etc...
Antivirus is System Center Endpoint Protection etc..
we have checked the PC's with this issue for malware, we have looked in every log we can find etc.. and can not find what is triggering or submitting the incorrect credentials...
We even tried to install the alockout.dll from Microsoft's lockout tools.. which seems to report nothing (I read it does not work in windows 7??)
Does Anyone have any knowledge of something we can run on the machine that will alert us as to when an invalid password is submitted as well as what service or program is sending the info??
Thanks in advance for anyone's thoughts..
Jason
Continue reading...
We have multiple Domain Controllers, and 1 Primary Domain... as well as exchange & Lync server and multiple locations with shares and etc..
We also run through Iprism web filter, that requires a user to go to a site like google.com etc.. to get authenticated etc.. before regular web browsing will work etc..
We have windows 7 32 bit & 64 mixed in the environment (no XP machines)
Also through GP we have 10 invalid login attempts will lock the user AD account... also require password change every 45 days
We have been (for about 2 or 3 months now) seeing a higher than normal amount of accounts getting locked for what seems to be no reason.. we have Netwrix Acocunt Lock Examiner installed, which tells us what PC the lock is happing at, and what DC is reporting the wrong passwords etc.. but does not tell us what item is causing it.. especially when the user is doing nothing but regular work and is not entering their password in anything.. also when we search logs etc.. there is nothing substantial, no saved credentials, no scheduled tasks, mapped drives are set with GP no by local user..
We are at our wits end on this...
in our whole company it seems that we have about 8 people that are locked almost everyday (and most do not have mobile devices with E-mail either)
The pc's have having the issue seem to have 2 things in common..
1. they all seem to have Office 2013
2. the all have a program installed called ADP (or CDK) an automotive industry program
Most computers are imaged through our Fog server...
Windows updates are pushed out through Wsus etc...
Antivirus is System Center Endpoint Protection etc..
we have checked the PC's with this issue for malware, we have looked in every log we can find etc.. and can not find what is triggering or submitting the incorrect credentials...
We even tried to install the alockout.dll from Microsoft's lockout tools.. which seems to report nothing (I read it does not work in windows 7??)
Does Anyone have any knowledge of something we can run on the machine that will alert us as to when an invalid password is submitted as well as what service or program is sending the info??
Thanks in advance for anyone's thoughts..
Jason
Continue reading...