Closed htaoujouti closed 1 year ago
ryanries
commented
2 years ago Is the user able to log onto their workstation with their new password, without getting locked out?
If you only experience the issue with shared folders, but the passwords work correctly in other scenarios not involving shared folders, I doubt the problem can be blamed on PassFiltEx.
htaoujouti
commented
2 years ago Hello, thanks for the reply, 1- yes the user is able to log to their account but once he connects to the shared folder it gets lockout and they can't be logged in again, sometimes it gets keeps getting locked out of nowhere. and as I said it's not happening to all users but to certain ones. 2- to eliminate any registry configuration problem, I want to make sure that the configuration is correct: TokenPercentageOfPassword, REG_DWORD, Default: 60(decimal) RequireCharClasses, REG_DWORD, Default: 15(decimal)(for symbols, number, upper case and small case letters) Is this configuration correct?
OftKilted
commented
2 years ago Hello, thanks for the reply, 1- yes the user is able to log to their account but once he connects to the shared folder it gets lockout and they can't be logged in again, sometimes it gets keeps getting locked out of nowhere. and as I said it's not happening to all users but to certain ones. 2- to eliminate any registry configuration problem, I want to make sure that the configuration is correct: TokenPercentageOfPassword, REG_DWORD, Default: 60(decimal) RequireCharClasses, REG_DWORD, Default: 15(decimal)(for symbols, number, upper case and small case letters) Is this configuration correct?
If they can login, but are having issues getting locked out when connecting to a share drive then they likely have mapping issues to that drive location that are validated by username and password (or someone is using mappings to that location with their old account information).
Best practice would be to clear their drive mappings, and verify if your NAS / shared drive solution is configured to do single sign-on for the mapping. And reconfigure the drive mapping to that shared location.
htaoujouti
commented
2 years ago the user can log into his account just the first time after I change his password or he changes it himself, then the account keeps getting locked even if he didn't connect into a shared folder.
Note: this is not applicable to all accounts the filter works well with the majority of them but for some users, their account gets locked. I checked their configuration and the password complexity it's all good, I also verified the shared folder configuration and they don't have any drive mapping it's all based on the domain controller.
OftKilted
commented
2 years ago If it’s working for most users and you only have a small number of users getting locked out then your best point of initial investigation would be to start troubleshooting their account lockouts using the standard Microsoft tools for lockouts on your domain controllers.
You should be able to track the bad access issues on the DCs. Which should point you to the root cause of a small subset of users having issues. You likely have a cached old password somewhere on the system (email accounts and shared drives are typical culprits).
ryanries
commented
2 years ago @htaoujouti did you ever figure this out?
ryanries
commented
1 year ago Closing as "no repro"
Hi Ryanries, I used your DLL as a password filter following the instructions from the readme in your repo, but some of the users within my local domain get locked out due to the Kerberos authentication service. I changed their password into a complex one that respects the filter but it keeps getting locked out, I restarted the client machine after and before changing the password, and I restarted the AD but I still have the same issue. the issue occurs once the user connects to a shared folder. Note: that the majority of users have their accounts working fine but I have this problem with some of them. it would be helpful if you can help me figure it out & thanks