Wednesday, December 02, 2015

Possible Microsoft Active Directory Domain Lockout Bug?

Good day IT admins,

We at NMP Consulting have now had two three four separate clients report that Active Directory accounts are being locked out after a password change. It appears that if the user is logged in anywhere after their password has expired and the user changes it, or if it is changed manually the account is locked out within seconds. This won't happen with local accounts, unless there are Terminal Servers with local accounts that are logged in multiple times. So you may have to look for that as well.

The "old" login (where the user has not logged out) keeps attempting to re-authenticate with the old credentials and locks the user out. What is especially troubling is that the normal default level of logging in your 'Security' event logs do not show the failed attempts. You have to turn up the detail of logging by creating a group policy in order to discover which computer is still logged in with the users' account:

In your Group Policy Editor or Local Computer Policy:

Go to - Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Advanced Audit Policy Configuration \ Audit Policies \ Account Management

Double click Audit User Account Management in the right pane

Check Configure the following audit events - or go to the Policy tab.

Check Success -

Click to enlarge

Reload your policies with GPUpdate.exe if using GPO, or with Local Policies it should be effective immediately (or you can reboot if needed)

Then look for event 4740 in the event logs after that. It should identify the offending computer and account.

Right now this means that people who don't logout their sessions will be punished for their lazy behavior. I myself hate leaving accounts logged in, so this won't affect me directly, but I am guessing a lot of people are getting a rude awaking starting yesterday. I am also guessing it started with a new Microsoft Update as our first reports began yesterday ("Patch Tuesday"), which is the normal day for new bugfixes and security updates being released.

Monday, November 23, 2015

'Face The Raven' Musings - Doctor Who 2005 S09E10 - SPOILERS

This is the first of a series of posts where I am inviting fellow Whovians to join in a discussion about Doctor Who episodes as they are released. If you haven't viewed the episode and don't want to be spoiled, come back later and discuss.

So we start with Rigsy calling the TARDIS about the mysterious tattoo on the back of his neck he can't remember getting. First scene takes place in his apartment.

The TARDIS lands

The next line from the Doctor reminds us how this one doesn't "get it" about humans, well, at least he plays it that way:

The Doctor gets around to his tattoo, which he considers boring, then "Oh, that's not boring", and the game is afoot!

I love how he calls Rigsy "Local Knowledge",

One of my favorite parts is where the Doctor uses the tech in the TARDIS to help figure things out. This needs to happen more often in my opinion! The TARDIS is a beautiful machine that has so much more to it than just being an interesting setting or a way to get around. This is awesome. We see lots of Gallifreyan writing and we get some "Spock" as Rose used to ask for back at the beginning of the 9th Doctor episodes. So I am going to focus on it a bit more than the rest.

Rigsy gets scanned by the Doctor.

So does his phone, and Clara's doing it!

The Doctor's Monitor Screen. "Good and Weird".

The Doctor then goes on to tell Rigsy he's had significant contact with alien life forms and he's been Retconned - a Torchwood reference!

Then the Doctor sees something else. Something bad, and the cards come out...

The Doctor then lands the TARDIS, we know they have 526 minutes, and then we go looking for an alien street somewhere, by flying the TARDIS above London and having Clara hang out, because we are looking for holes in where she sees, and we eventually end up in the Doctor Who version of Diagon alley by Rigsy accidentally defeating the misdirection circuits effects.

It was very interesting to see all the different enemies of the Doctor or other aliens in the alley.
We meet "Mayor Me" - Ashildir, who is control of the Quantum Shade, and the investigation slowly unfolds to where everyone is off doing their own thing (as usual), and Clara makes a very unfortunate choice as to how to move things along.

We find out that instead of meaning to kill Rigsy, Ashildir has made a deal with some unknown group to capture the Doctor and transport him somewhere else. They use a TARDIS key lock to assure it is the Doctor they are capturing.

Then Clara's actions are revealed, and suddenly the Doctor is (in my opinion) channeling his inner '9', and gets very angry. It is a FanTAStic scene, and Capaldi plays an angry Doctor wonderfully, and I think Clara has her best lines ever convincing the Doctor he can't be the Warrior again and must instead stay the Doctor. 

We all know what happens next, and I am not going to break everyone's hearts into a million pieces.

The Doctor returns to Ashildir and gives her quite a warning, saying he'll try not to get revenge, but then the Doctor speaks his most chilling line to Ashildir...

So, what do the rest of you think about this episode? I think it is the best of the 9th Season so far.

Anyone recognize these markings?

Thursday, January 15, 2015

Fixing Google Drive Sync (googledrivesync.exe) Problems.

Add another one on the WTF list. Had a client who is using Google Apps for Business and uses Drive for all their storage. One of the workstations stopped syncing, as google drive sync (googledrivesync.exe) would apparently never start.

You'd get the spinning Windows 7 circle, but then the icon would never appear in the systray.

Or so I thought....

I tried everything to get it to work again, reinstalling, running it in -vv (diagnostics) and --unsafe-network modes. No dice. It would start then exit.

Nothing at all in the Event Logs.

This was a Windows 7 Pro 64-bit install with plenty of memory and CPU power.

I created another user, logged in, and voila' - the icon in the systray appeared and asked me to login.

So this was a user profile issue.

So I went and logged back in as the trouble user, I went to the Taskbar options and hit the customize button so I could force all systray icons to appear. This is when I noticed that Google Drive Sync was in the systray icon list! The icon was invisible, but it was on the list and the text said "Shutting down..."

Only it never shut down. Couldn't find the process to get it to shut down either.

So I  deleted the registry key folder "Drive" in HKEY_CURRENT_USER\Software\Google\

I then ran Revo Uninstaller - a product that has cleaned up after several poorly written uninstallers. I ran it in "advanced" uninstall mode.

I then removed any trace of the googledrivesync installer on the computer. I then rebooted, logged into the users Google account in Chrome, went to Drive and downloaded and installed the Drive app for the PC.

It ran, started, and everything worked fine.

Note that all the files on the computer remained, and it re-synced with all the files on drive just fine. There were a few conflicts, but it created separate files for those.

Hope this helps!