Collector Service Account Locked Out
We have 5 different AD domains that we want to monitor. We created dynamic groups for each domain and added the associated credentials for that domain. For some reason after we added more than one d...
Forum Discussion
It's getting locked out because bad username or password, and it's coming ONLY from one of the collectors. Once we unlock the account it will work fine for hours, days, or weeks. Then out of the blue, it just starts failing with bad password until the account is locked. The only way we've been able to keep LM running is to setup a cron job that checks if the account is locked out every 5 seconds and unlocks it if it is, and it has worked for several weeks now.
Cole_McDonald
Professor
ProfessorI'm assuming the creds are stored as wmi.user and wmi.pass. Sounds like some dataSource isn't respecting those are set and using the account the collector is set to. Tracking down that culprit takes some effort going through DataSource code and evaluating how each is utilizing the credentials or not.
My first stab at that would be to pull all of the 'Sources from the RestAPI using Powershell into an array. Then Filtering for any script that doesn't -match the string "wmi.user"
Alternatively, if you can match it to a specific PID (usually needs conversion from Hex in the event logs), get-wmiobject win32_process | where processid -eq <PID> might get you at the commandline property to see which script is being called to be able to more positively match it, but that's got a short lifespan.
Tying a lockout cadence to it could allow you to sort the dataSources by run frequency to help narrow it down as well.
that's sounds awesome, how do you do any of that?
And the service account the collector is running with is the same account and password used for wmi.user/pass and winrm.user/pass. Even if it ignores what properties we set, it should still be good since we're using the same account for everything.
LM support recommended to use a separate account for wmi and winrm. We setup two new accounts, updated the attributes, and restarted the collectors. In under a minute both accounts were locked out. All coming from one of the log collectors.
We asked about removing it and rebuilding it, and we were told that all configuration data is stored in LM so we would just run into the same problem.
