3 Replies Latest reply on Jul 28, 2008 6:28 AM by zman

    Preferred Server Account Lockout

    zman Master


      Every since upgrading our cores to 8.8 (no SP1 yet) we have noticed that the account being used for pref server is getting locked out. We used to use the same account for both pref server and com+ (domain accounts) and this worked very well until after the upgrade. To isolate what was locking out the account com+ or pref server we now use two seperate accounts.  Since the switch the com+ account has been golden and the pref server account is being locked. The locking is very random, can go for several days and then it locks. I have verified that the account name and password are correct for all 30+ package servers.  I'm having our directory services people isolate the machine(s) that is doing the locking. The clients have not been upgraded to 8.8 yet (long story....)






      Anyone have issues with preferred server locking out the account? This was solid until the 8.8 upgrade.  Any ideas?  This is a brand new account so nobody has the password or even knows about the account except two people.  Something on the client is chumming up the password.






      As always - thanks.



        • 1. Re: Preferred Server Account Lockout
          zman Master

          Any ideas on this, it went an entire week and just got locked????? I realize that this is like finding a needle in a haystack.  Anybody ever seen this?








          Also noticed the creation and modifies date on my preferredservers.dat areTuesday, December 23, 2008, 3:06:23 PM??????



          Got the pc# from our directory service guys. Nothing looks out of place, no weird events in the security, app, or system logs. sdclient  logs look clean, etc...

          • 2. Re: Preferred Server Account Lockout
            phoffmann SupportEmployee

            So I've done some digging...


            ... after much digging, I've found ONE incident about the PREFERREDSERVERS.DAT having a time-stamp for a future date ... which was closed as SP1 for 8.8 resolved it. That's about all I can give you for that one... might be worth opening a ticket with support if you're on 8.8 SP1 and work with them on it.




            I've been trying to figure out a way to trace what's going on with your account, but I don't really see many ways short of you tracing/logging via Microsoft ... I suppose the thing would be to try and find out if it's "a particular" server that's causing you grief ... if so, you should be able to get a timestamp or "all of them".


            Now ... since you need authentication, I'm assuming this is UNC as opposed to HTTP (HTTP would've made life a LOT easier, since we'd have an IIS log to go with time-stamps to lock down a client/several clients as responsible) ... a theory I'd have would be that some client has an out-of-date preferred-server information file and hasn't / can't refresh it ... suppose if you can find which preferred server it is, you could run a script to all clients attached to that box to clear their preferred-server lists and re-download it.


            I don't think there's much you can do to track down UNC-based access a lot (well - not by default) short of you enabling auditing, which is going to create huge logs, but that may be the way forward?


            Paul Hoffmann

            LANDesk EMEA Technical Lead.

            • 3. Re: Preferred Server Account Lockout
              zman Master


              Paul, thanks for pulling out the shovel. The clients are still 8.7 and have not been upgraded, so when I can finally push the clients I'm hoping this will go away. I'm planning on upgrading the cores to sp1 on 8-9-08. The cores are 8.8 now. The future date is weird since it still works.  Since the account is not being locked out all the time, my gut feeling is there is something going on between the new 8.8 core and older client in regards to preferred server. The 8.8 table does look different from the old 8.7 table (from my memory). Just one client every so often does make it hard to troubleshoot, and I agree a remote trace is the only way to do this but, I can't repeat the locking once we find the client that caused the lockout - grrrrr.  I think I will just keep my fingers crossed and hope it goes away when we upgraded the clients.






              Thanks again.