Surely this happens anywhere that has a lockout policy and doesn't prevent creds from being saved? #1 case of lockouts in our environment (typing skills of dudes who need to toggle capslock to get an upper case letter cos they don't have the dexterity to hold down shift and press a key is probably #2), is from credentials being saved prior to a password change. Usually it's Outlook RPC over HTTPS, so it doesn't come up consistently as users are normally ondirect RPC connection (maybe Microsoft's solution is upgrade to Ex2013 so everything is proxied?). Does anyone know of an actual workable solution?
We get this all the time, even with Exchange 2013 for workgroup computers over https. I think the credentials get saved and then outlook opens and tries to Authenticate in the back ground a few times before prompting. I just advise users to not save credentials on workgroup computers and seems to work fine. Soon as I educate the users to not save credentials they have no issues
Documentation that fires on password change (or before) that reminds people to update their password in all their attached devices, and every other piece of software that saves passwords, and auths against AD but doesn't use sinngle sign on.
I believe this relates to cached credentials (as in being able to log on to workstation when it doesn't have a connection to domain controller, so long as you've logged on to that workstation already), plus our users UPN and SAM account names are the same. I'm talking about saved credentials (those that appear in Control Panel > Credential Manager). Do you have a script that actually presses a sharp blade into a users leg when they ignore every piece of communication from IT?
I've been tripped up by this in the past. Felt like a right numpty trying to tell my colleague that all my apps are shutdown and there is no way anything is trying to logon. Is this possible? I could see it addressing the lockout issue, but I could also see it leading to post-it notes of passwords littered around the place. Its a shame that windows doesn't pop up a warning when a saved credential fails login, as opposed to firing off the same password and locking out the account.
More "utterly terrible design" than a shame. Even when the first login with saved credentials fails and it pops up a login prompt, no matter how many times you enter the new password and check "Remember this password", it decides instead to stick with what's in credential manager and lock your account.
Computer Config>Preferences>Control Panel Settings>Services>Service (Name:Vaultsvc) Stop and disable it. Just make sure you delete the files in the cached credential folder too. %appdata%\Microsoft\Vault\ %appdata%\Microsoft\Credentials\ %localappdata%\Microsoft\Credentials\ %localappdata%\Microsoft\Vault\ Otherwise you disable it, but don't clear the credentials!
