Moved to data Loss Prevention forum should be better to get assistance there
1 of 1 people found this helpful
i would start with sysinternals procmon or autoruns to see which program causes the issue.
Thank you. I was able to identify that the windows process of attempting to load domain policy and logon scripts, was causing lockout upon authenticating resource. I dont quite understand why, but improper ntlm negotiation was causing the authentication during the process of applying domain policy to fail and lock the account. My default domain policy, "Network security: LAN Manager authentication level", is set to "Send NTLMv2 response only. Refuse LM & NTLM". The client has default until it gets the domain policy. But client couldn't get the policy since server side couldn't authenticate. Current workaround is to manually set the local policy "Send NTLMv2 response only. Refuse LM & NTLM" after creating the image. Once logged in correctly, the client get the domain policy as the local policy and users can work fine thereafter.