cancel
Showing results for 
Search instead for 
Did you mean: 
teekay
Level 9
Report Inappropriate Content
Message 1 of 4

Windows AD account lockout

Jump to solution

I have a mysterious situation occurring on newly ghost imaged PC's with McAfee disk encryption, McAfee DLP, and McAfee Application Control .   Upon login to to domain, user get's immediately locked out.  Our lockout policy is three login attempts.  Domain policies dont get applied and gpudate /force fails.

Reveiwed event viewer.  We see user logs in successfully, followed by two additional user login attempts that fail, and then a user lockout event. 

Operating environment of PC:  Windows 10 version 1511, McAfee disk encryption, McAfee DLP, and McAfee Application Control, VMPlayer, MS Office.

Process: Install Windows and Applications, Sysprep, Create Symantec image.

Users logon ok from other domain PC's imaged from previous batch but get locked out when logging into domain on newly imaged PC's. Tried multiple users.  User logs in ok to preboot to decrypt drive.  Then gets locked out immediately upon loggin into windows.  Lockout occurs whether SSO is checked or unchecked.

Removed machine from domain and replaced; Same result.   At wits end to determine what process might be immediately submitting follow up bad credentials that lock the account.    Can the McAfee processes be causing something like this? If yes, where to look to make a determination and possible fix?  Any insights greatly appreciated.

1 Solution

Accepted Solutions
Highlighted
teekay
Level 9
Report Inappropriate Content
Message 4 of 4

Re: Windows AD account lockout

Jump to solution

Thank you.   I was able to identify that the windows process of attempting to load domain policy and logon scripts, was causing lockout upon authenticating resource.   I dont quite understand why, but improper ntlm negotiation was causing the authentication during the process of applying domain policy to fail and lock the account.  My default domain policy, "Network security: LAN Manager authentication level", is set to "Send NTLMv2 response only. Refuse LM & NTLM".  The client has default until it gets the domain policy.  But client couldn't get the policy since server side couldn't authenticate.  Current workaround is to manually set the local policy "Send NTLMv2 response only. Refuse LM & NTLM" after creating the image.  Once logged in correctly, the client get the domain policy as the local policy and users can work fine thereafter. 

3 Replies
Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Windows AD account lockout

Jump to solution

Moved to data Loss Prevention forum should be better to get assistance there

mcadoc
Level 7
Report Inappropriate Content
Message 3 of 4

Re: Windows AD account lockout

Jump to solution

i would start with sysinternals procmon or autoruns to see which program causes the issue.

Highlighted
teekay
Level 9
Report Inappropriate Content
Message 4 of 4

Re: Windows AD account lockout

Jump to solution

Thank you.   I was able to identify that the windows process of attempting to load domain policy and logon scripts, was causing lockout upon authenticating resource.   I dont quite understand why, but improper ntlm negotiation was causing the authentication during the process of applying domain policy to fail and lock the account.  My default domain policy, "Network security: LAN Manager authentication level", is set to "Send NTLMv2 response only. Refuse LM & NTLM".  The client has default until it gets the domain policy.  But client couldn't get the policy since server side couldn't authenticate.  Current workaround is to manually set the local policy "Send NTLMv2 response only. Refuse LM & NTLM" after creating the image.  Once logged in correctly, the client get the domain policy as the local policy and users can work fine thereafter. 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community