Any ideas on this, it went an entire week and just got locked????? I realize that this is like finding a needle in a haystack. Anybody ever seen this?
Also noticed the creation and modifies date on my preferredservers.dat areTuesday, December 23, 2008, 3:06:23 PM??????
Got the pc# from our directory service guys. Nothing looks out of place, no weird events in the security, app, or system logs. sdclient logs look clean, etc...
So I've done some digging...
... after much digging, I've found ONE incident about the PREFERREDSERVERS.DAT having a time-stamp for a future date ... which was closed as SP1 for 8.8 resolved it. That's about all I can give you for that one... might be worth opening a ticket with support if you're on 8.8 SP1 and work with them on it.
I've been trying to figure out a way to trace what's going on with your account, but I don't really see many ways short of you tracing/logging via Microsoft ... I suppose the thing would be to try and find out if it's "a particular" server that's causing you grief ... if so, you should be able to get a timestamp or "all of them".
Now ... since you need authentication, I'm assuming this is UNC as opposed to HTTP (HTTP would've made life a LOT easier, since we'd have an IIS log to go with time-stamps to lock down a client/several clients as responsible) ... a theory I'd have would be that some client has an out-of-date preferred-server information file and hasn't / can't refresh it ... suppose if you can find which preferred server it is, you could run a script to all clients attached to that box to clear their preferred-server lists and re-download it.
I don't think there's much you can do to track down UNC-based access a lot (well - not by default) short of you enabling auditing, which is going to create huge logs, but that may be the way forward?
LANDesk EMEA Technical Lead.
Paul, thanks for pulling out the shovel. The clients are still 8.7 and have not been upgraded, so when I can finally push the clients I'm hoping this will go away. I'm planning on upgrading the cores to sp1 on 8-9-08. The cores are 8.8 now. The future date is weird since it still works. Since the account is not being locked out all the time, my gut feeling is there is something going on between the new 8.8 core and older client in regards to preferred server. The 8.8 table does look different from the old 8.7 table (from my memory). Just one client every so often does make it hard to troubleshoot, and I agree a remote trace is the only way to do this but, I can't repeat the locking once we find the client that caused the lockout - grrrrr. I think I will just keep my fingers crossed and hope it goes away when we upgraded the clients.