Saved AD credentials cause lockouts

Discussion in 'Business & Enterprise Computing' started by 7nothing, Jun 30, 2016.

  1. 7nothing

    7nothing Member

    Joined:
    Feb 15, 2002
    Messages:
    1,541
    Location:
    Brisbane
    Surely this happens anywhere that has a lockout policy and doesn't prevent creds from being saved?

    #1 case of lockouts in our environment (typing skills of dudes who need to toggle capslock to get an upper case letter cos they don't have the dexterity to hold down shift and press a key is probably #2), is from credentials being saved prior to a password change. Usually it's Outlook RPC over HTTPS, so it doesn't come up consistently as users are normally ondirect RPC connection (maybe Microsoft's solution is upgrade to Ex2013 so everything is proxied?).

    Does anyone know of an actual workable solution?
     
  2. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,770
    Location:
    Brisbane

    We get this all the time, even with Exchange 2013 for workgroup computers over https. I think the credentials get saved and then outlook opens and tries to Authenticate in the back ground a few times before prompting. I just advise users to not save credentials on workgroup computers and seems to work fine. Soon as I educate the users to not save credentials they have no issues
     
  3. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,359
    Documentation that fires on password change (or before) that reminds people to update their password in all their attached devices, and every other piece of software that saves passwords, and auths against AD but doesn't use sinngle sign on.
     
  4. eixt

    eixt Member

    Joined:
    Apr 9, 2003
    Messages:
    1,302
    Location:
    Canberra
  5. OP
    OP
    7nothing

    7nothing Member

    Joined:
    Feb 15, 2002
    Messages:
    1,541
    Location:
    Brisbane
    I believe this relates to cached credentials (as in being able to log on to workstation when it doesn't have a connection to domain controller, so long as you've logged on to that workstation already), plus our users UPN and SAM account names are the same.

    I'm talking about saved credentials (those that appear in Control Panel > Credential Manager).

    Do you have a script that actually presses a sharp blade into a users leg when they ignore every piece of communication from IT?
     
  6. NiRdoC

    NiRdoC Member

    Joined:
    Jun 27, 2002
    Messages:
    200
    Location:
    Cairns
    Disable Credential Manager?
     
  7. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,359
    I could make it disable the coffee machine. Much worse in many cases.
     
  8. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,770
    Location:
    Brisbane
    You want to get stabbed? That's how you get stabbed haha
     
  9. ^catalyst

    ^catalyst Member

    Joined:
    Jun 27, 2001
    Messages:
    11,913
    Location:
    melbourne
    P1 - Kitchen - All users affected
     
  10. fR33z3

    fR33z3 Member

    Joined:
    Jul 16, 2001
    Messages:
    2,164
    Location:
    Perth
    I've been tripped up by this in the past.

    Felt like a right numpty trying to tell my colleague that all my apps are shutdown and there is no way anything is trying to logon.

    Is this possible? I could see it addressing the lockout issue, but I could also see it leading to post-it notes of passwords littered around the place.

    Its a shame that windows doesn't pop up a warning when a saved credential fails login, as opposed to firing off the same password and locking out the account.
     
  11. OP
    OP
    7nothing

    7nothing Member

    Joined:
    Feb 15, 2002
    Messages:
    1,541
    Location:
    Brisbane
    More "utterly terrible design" than a shame. Even when the first login with saved credentials fails and it pops up a login prompt, no matter how many times you enter the new password and check "Remember this password", it decides instead to stick with what's in credential manager and lock your account.
     
  12. RyoSaeba

    RyoSaeba Member

    Joined:
    Sep 11, 2001
    Messages:
    13,038
    Location:
    Perth
    Absolutely. And since it has a blinky light on it, it automatically falls under IT.
     
  13. NiRdoC

    NiRdoC Member

    Joined:
    Jun 27, 2002
    Messages:
    200
    Location:
    Cairns
    Yep, can be done with group policy or simply disabling the service.
     
  14. m0n4g3

    m0n4g3 Member

    Joined:
    Aug 5, 2009
    Messages:
    3,716
    Location:
    Perth, WA
    Computer Config>Preferences>Control Panel Settings>Services>Service (Name:Vaultsvc)

    Stop and disable it.

    Just make sure you delete the files in the cached credential folder too.

    %appdata%\Microsoft\Vault\
    %appdata%\Microsoft\Credentials\
    %localappdata%\Microsoft\Credentials\
    %localappdata%\Microsoft\Vault\

    Otherwise you disable it, but don't clear the credentials!
     

Share This Page

Advertisement: