3 Replies Latest reply on Jul 17, 2017 8:03 AM by teekay

    Windows AD account lockout


      I have a mysterious situation occurring on newly ghost imaged PC's with McAfee disk encryption, McAfee DLP, and McAfee Application Control .   Upon login to to domain, user get's immediately locked out.  Our lockout policy is three login attempts.  Domain policies dont get applied and gpudate /force fails.

      Reveiwed event viewer.  We see user logs in successfully, followed by two additional user login attempts that fail, and then a user lockout event. 

      Operating environment of PC:  Windows 10 version 1511, McAfee disk encryption, McAfee DLP, and McAfee Application Control, VMPlayer, MS Office.

      Process: Install Windows and Applications, Sysprep, Create Symantec image.

      Users logon ok from other domain PC's imaged from previous batch but get locked out when logging into domain on newly imaged PC's. Tried multiple users.  User logs in ok to preboot to decrypt drive.  Then gets locked out immediately upon loggin into windows.  Lockout occurs whether SSO is checked or unchecked.

      Removed machine from domain and replaced; Same result.   At wits end to determine what process might be immediately submitting follow up bad credentials that lock the account.    Can the McAfee processes be causing something like this? If yes, where to look to make a determination and possible fix?  Any insights greatly appreciated.

        • 1. Re: Windows AD account lockout

          Moved to data Loss Prevention forum should be better to get assistance there

          • 2. Re: Windows AD account lockout

            i would start with sysinternals procmon or autoruns to see which program causes the issue.

            1 of 1 people found this helpful
            • 3. Re: Windows AD account lockout

              Thank you.   I was able to identify that the windows process of attempting to load domain policy and logon scripts, was causing lockout upon authenticating resource.   I dont quite understand why, but improper ntlm negotiation was causing the authentication during the process of applying domain policy to fail and lock the account.  My default domain policy, "Network security: LAN Manager authentication level", is set to "Send NTLMv2 response only. Refuse LM & NTLM".  The client has default until it gets the domain policy.  But client couldn't get the policy since server side couldn't authenticate.  Current workaround is to manually set the local policy "Send NTLMv2 response only. Refuse LM & NTLM" after creating the image.  Once logged in correctly, the client get the domain policy as the local policy and users can work fine thereafter.