Overview
The domain admin account that you use for GFI services keeps getting locked out. Resetting or changing the password doesn't help.
Solution
LanGuard often needs to connect to remote machines to gather information and patch vulnerabilities. By default, the service account set for the GFI LanGuard 12 Attendant Service is used to connect to the target computers, both in the domain and mixed environments.
There are various factors, environmental changes, or incorrect settings that may result in the account getting locked out. To resolve this:
-
LNSSCommunicator - DCOM object that allows the LanGuard server to communicate with the agents might have explicitly set credentials with an outdated/incorrect password.
- Open DCOMcnfg (press Windows Key + R > type dcomcnfg and press Enter)
- Expand Component Services > Computers > My Computer > DCOM Config
- Locate the LNSSCommunicator, right-click and enter Properties
- Check the settings in the Identity tab.
Choose The launching user option here, which by default will be the GFI LanGuard 12 Attendant Service.
-
LanGuard allows users to specify "alternative credentials" for the machine(s) to connect. If you configured GFI service account credentials as "alternative credentials" for some computer, and the password has changed later, this may lead to periodic lockouts too. If the logon to the remote machine fails with the service account credentials (for whatever reason), the GFI product immediately retries with "alternative credentials," thereby increasing the failed login count and leading to the account getting locked out.
You can find computers with the alternative credentials in the LanGuard console > Dashboard > Computers tab. In the General information > Credentials column, you will see which computers have alternative credentials set.
Right-click on the computer with incorrect alternative credentials to verify/change the credentials set. Clear the "Authenticate using" checkmark or use a different administrative account for "alternate credentials" other than the GFI service account. Refer to the Best Practices for Setting up Account Permissions with Alternative Credentials in LanGuard to determine the recommended credentials setup for your environment.
If you have a single domain environment, there is normally no need to specify alternative credentials at all for any LanGuard operations as long as the service account used by the LanGuard 12 Attendant service has the necessary permissions to access the target machines.
-
If you configured GFI service account credentials as "alternative credentials" in the domain group properties, this might lead to the same problems as in the case with a single machine. Navigate to the domain group in the LanGuard console Computer Tree, right-click to view the properties, and if the box "authenticate using" is ticked and there are credentials set there, please untick it.
Testing
Give LanGuard time to perform its daily scheduled operations and verify that the account lockouts are gone. If the issue persists, contact GFI LanGuard Support.