I suspect that the DLP agent is locking AD domain accounts for users who are using local accounts with the same name.
For example USERID is a local account on the machine and a domain account: USERID\machine USERID\DOMAIN
The user logs in using the local account. Eventually the domain account gets locked. If the passwords for the local and domain account are the same then the issue does not happen. Since this just started with the DLP agent deployment I suspect DLP is the issue.
I assume that DLP has to do a policy evaluation against AD (our policies utlilize AD groups). Does it use credentials for this? If its a local account shouldn't it stop right there and not do an AD evaluation? I am going to try to put 'local accounts' in a user group by itself with no AD groups to see if that resolves it.. Anyone else see anything like this? Looks like another SR for me!
Finding out some interesting things.... The fcag.exe process performs a LDAP search against AD at every policy enforcement interval. In our case the credentials are being confused. My guess is that fcag.exe assumes the logged in user has authorization to do ldap searches against the DC if it can reach it network wise. Will post more when I hear back from support.
Issue found.... McAfee will be sending me a POC fix next week for me to confirm the issue is resolved. If anyone needs more details relating to this please let me know.