IT Management Suite

Hi Shiv Choudhary!

1. When this account locking started? Was there recently password change in AD for this Domain account?
https://knowledge.broadcom.com/external/article/237958/authentication-connectivity-credential-a.html
https://knowledge.broadcom.com/external/article/157377/application-identity-account-lockout.html

2. What version of SMP/Asset Management solution you have?

3. If current NS AppIdentity account (domain account) recently changed password in AD, then need to check other place in SMP Console to make sure that this account wasn't manually specified with previous old password (if yes, need to type there a new password and save changes)

- If You have Hierarchy, right click on NS > edit and update password if there are used manual credentials

- Also if there are stand-alone replication rules with manual credentials specified, need to review them and update password if there is affected Account is used.

- Possible that there are some tasks which has domain account specified to "run as" and there is an old password used which causes account lock

   Here is a KB where you can check which tasks have a custom credentials specified and review them for affected domain account
    https://knowledge.broadcom.com/external/article?articleId=170069

- If you are using "CEM Gateway" and there is NS AppIdentity account is specified to send report data to your Notification Server, then need to open "Gateway Manager UI" on Gateway server and specify there new Domain Account password.

- Check AD Import rules, if they have manually specified this domain account there

- Check "Connection Profiles" for different protocols which are used for Network Discovery tasks, Agentless Monitoring, Virtual Machine Management solution.

- When your Domain Account password was changed in AD, did you open a Symantec Installation Manager and specified there a new password and configured it?

Best regards,
IP.

Hi Igor ,
Our client machines are constantly trying to connect to the NS child server and do not have an updated password. So they are continuously trying to contact NS with wrong password which is causing account locking again and again.
The Altiris account password NS clients (field systems) are using to connect back to the NS (Altiris child servers) contains incorrect password information.
Also plz tell me how can we update new password for all client machines in one go so that all machine connect with updated password whenever they connect to notification server.Let me know if we use the option Use these credentials & update here the new password then client machines will try contacting with the new password or not . Also how can we enter the username : username or Domain\username .

Also let us know the resolution of error that we are getting in the attached screenshot . 

Hi Shiv Choudhary!

1. When this account locking started? Was there recently password change in AD for this Domain account?
https://knowledge.broadcom.com/external/article/237958/authentication-connectivity-credential-a.html
https://knowledge.broadcom.com/external/article/157377/application-identity-account-lockout.html

2. What version of SMP/Asset Management solution you have?

3. If current NS AppIdentity account (domain account) recently changed password in AD, then need to check other place in SMP Console to make sure that this account wasn't manually specified with previous old password (if yes, need to type there a new password and save changes)

- If You have Hierarchy, right click on NS > edit and update password if there are used manual credentials

- Also if there are stand-alone replication rules with manual credentials specified, need to review them and update password if there is affected Account is used.

- Possible that there are some tasks which has domain account specified to "run as" and there is an old password used which causes account lock

   Here is a KB where you can check which tasks have a custom credentials specified and review them for affected domain account
    https://knowledge.broadcom.com/external/article?articleId=170069

- If you are using "CEM Gateway" and there is NS AppIdentity account is specified to send report data to your Notification Server, then need to open "Gateway Manager UI" on Gateway server and specify there new Domain Account password.

- Check AD Import rules, if they have manually specified this domain account there

- Check "Connection Profiles" for different protocols which are used for Network Discovery tasks, Agentless Monitoring, Virtual Machine Management solution.

- When your Domain Account password was changed in AD, did you open a Symantec Installation Manager and specified there a new password and configured it?

Best regards,
IP.

Hi Shiv Choudhary!

1. You mean that after 6 months, now agents start to lock account on that Child NS server again?
How you identified that this is exactly caused by Symantec Management agent?
There is a lot of other soft and places and actions which can cause account lock...

2. About "Global Agent Settings" page - Authentication tab

Specify there domain\username

3. To avoid error message in UI when you tried to save changes, need to change this core setting value.
Example:
Or change it from this place on NS:
C:\ProgramData\Symantec\SMP\Settings\CoreSettings.config
<customSetting key="ScheduleManagerInterop" type="local" value="1" upgradeIf="ne" />

4. In cases when Domain account always locked by someone, better to create a new domain account and use it as NS AppIdentity... Open Symantec Installation Manager and proceed with steps shown in previous comments above to apply new AppIdentity account.

Or reinstall agents on client computers as suggested in this KB https://knowledge.broadcom.com/external/article/157377/application-identity-account-lockout.html

Best regards,
IP.

Hi Igor ,
Our client machines are constantly trying to connect to the NS child server and do not have an updated password. So they are continuously trying to contact NS with wrong password which is causing account locking again and again.
The Altiris account password NS clients (field systems) are using to connect back to the NS (Altiris child servers) contains incorrect password information.
Also plz tell me how can we update new password for all client machines in one go so that all machine connect with updated password whenever they connect to notification server.Let me know if we use the option Use these credentials & update here the new password then client machines will try contacting with the new password or not . Also how can we enter the username : username or Domain\username .

Also let us know the resolution of error that we are getting in the attached screenshot . 

Hi Shiv Choudhary!

1. When this account locking started? Was there recently password change in AD for this Domain account?
https://knowledge.broadcom.com/external/article/237958/authentication-connectivity-credential-a.html
https://knowledge.broadcom.com/external/article/157377/application-identity-account-lockout.html

2. What version of SMP/Asset Management solution you have?

3. If current NS AppIdentity account (domain account) recently changed password in AD, then need to check other place in SMP Console to make sure that this account wasn't manually specified with previous old password (if yes, need to type there a new password and save changes)

- If You have Hierarchy, right click on NS > edit and update password if there are used manual credentials

- Also if there are stand-alone replication rules with manual credentials specified, need to review them and update password if there is affected Account is used.

- Possible that there are some tasks which has domain account specified to "run as" and there is an old password used which causes account lock

   Here is a KB where you can check which tasks have a custom credentials specified and review them for affected domain account
    https://knowledge.broadcom.com/external/article?articleId=170069

- If you are using "CEM Gateway" and there is NS AppIdentity account is specified to send report data to your Notification Server, then need to open "Gateway Manager UI" on Gateway server and specify there new Domain Account password.

- Check AD Import rules, if they have manually specified this domain account there

- Check "Connection Profiles" for different protocols which are used for Network Discovery tasks, Agentless Monitoring, Virtual Machine Management solution.

- When your Domain Account password was changed in AD, did you open a Symantec Installation Manager and specified there a new password and configured it?

Best regards,
IP.

So, please let me know how we can update these systems with new user credentials that is Assetadmin?
Account lockout problem is never resolved in our environment and it has become a never ending thing for us , so kindly help us with it.

Also, I have noted one thing that as soon as office hours are over i.e., after 6-7 pm the admin account is not locked out whereas during office hours it gets locked within minutes or even faster.

It means that the source of account lockout is only from field machines and not from local server, because if some credentials are not updated at server end, then account lockout behavior should not behave like this & the account lockout incident would have uniform throughout the day & night .

Hi Shiv Choudhary!

1. You mean that after 6 months, now agents start to lock account on that Child NS server again?
How you identified that this is exactly caused by Symantec Management agent?
There is a lot of other soft and places and actions which can cause account lock...

2. About "Global Agent Settings" page - Authentication tab

Specify there domain\username

3. To avoid error message in UI when you tried to save changes, need to change this core setting value.
Example:
Or change it from this place on NS:
C:\ProgramData\Symantec\SMP\Settings\CoreSettings.config
<customSetting key="ScheduleManagerInterop" type="local" value="1" upgradeIf="ne" />

4. In cases when Domain account always locked by someone, better to create a new domain account and use it as NS AppIdentity... Open Symantec Installation Manager and proceed with steps shown in previous comments above to apply new AppIdentity account.

Or reinstall agents on client computers as suggested in this KB https://knowledge.broadcom.com/external/article/157377/application-identity-account-lockout.html

Best regards,
IP.

Hi Igor ,
Our client machines are constantly trying to connect to the NS child server and do not have an updated password. So they are continuously trying to contact NS with wrong password which is causing account locking again and again.
The Altiris account password NS clients (field systems) are using to connect back to the NS (Altiris child servers) contains incorrect password information.
Also plz tell me how can we update new password for all client machines in one go so that all machine connect with updated password whenever they connect to notification server.Let me know if we use the option Use these credentials & update here the new password then client machines will try contacting with the new password or not . Also how can we enter the username : username or Domain\username .

Also let us know the resolution of error that we are getting in the attached screenshot . 

Hi Shiv Choudhary!

1. When this account locking started? Was there recently password change in AD for this Domain account?
https://knowledge.broadcom.com/external/article/237958/authentication-connectivity-credential-a.html
https://knowledge.broadcom.com/external/article/157377/application-identity-account-lockout.html

2. What version of SMP/Asset Management solution you have?

3. If current NS AppIdentity account (domain account) recently changed password in AD, then need to check other place in SMP Console to make sure that this account wasn't manually specified with previous old password (if yes, need to type there a new password and save changes)

- If You have Hierarchy, right click on NS > edit and update password if there are used manual credentials

- Also if there are stand-alone replication rules with manual credentials specified, need to review them and update password if there is affected Account is used.

- Possible that there are some tasks which has domain account specified to "run as" and there is an old password used which causes account lock

   Here is a KB where you can check which tasks have a custom credentials specified and review them for affected domain account
    https://knowledge.broadcom.com/external/article?articleId=170069

- If you are using "CEM Gateway" and there is NS AppIdentity account is specified to send report data to your Notification Server, then need to open "Gateway Manager UI" on Gateway server and specify there new Domain Account password.

- Check AD Import rules, if they have manually specified this domain account there

- Check "Connection Profiles" for different protocols which are used for Network Discovery tasks, Agentless Monitoring, Virtual Machine Management solution.

- When your Domain Account password was changed in AD, did you open a Symantec Installation Manager and specified there a new password and configured it?

Best regards,
IP.

Hi Shiv Choudhary!

Since you have SMP 8.5 version (I thought that it is 8.5 RU4), so is there latest 8.5 POST RU4 cumulative point fix installed on all available SMP Servers?
You can check what Point fixes are installed on each SMP server from registry.
Do you have the same like on example below?

Here is a common KB https://knowledge.broadcom.com/external/article?articleId=232242 describing known problem that Agents weren't able to register with Task Server(s) due to error "The logon attempt failed (0x8009030C)"

If this issue is reproducible on your environment, then you need to download latest available point fix "SMA_SMP_8_5_POST_RU4_v11_23Feb_1658753544895.zip" from https://knowledge.broadcom.com/external/article/198337/cumulative-post-itms-85-ru4-point-fixes.html 
and install it on each SMP Server (This installed point fix will required to upgrade SMA on every managed client computer and Task Server on every Site Server.

Best regards,
IP.

So, please let me know how we can update these systems with new user credentials that is Assetadmin?
Account lockout problem is never resolved in our environment and it has become a never ending thing for us , so kindly help us with it.

Also, I have noted one thing that as soon as office hours are over i.e., after 6-7 pm the admin account is not locked out whereas during office hours it gets locked within minutes or even faster.

It means that the source of account lockout is only from field machines and not from local server, because if some credentials are not updated at server end, then account lockout behavior should not behave like this & the account lockout incident would have uniform throughout the day & night .

Hi Shiv Choudhary!

1. You mean that after 6 months, now agents start to lock account on that Child NS server again?
How you identified that this is exactly caused by Symantec Management agent?
There is a lot of other soft and places and actions which can cause account lock...

2. About "Global Agent Settings" page - Authentication tab

Specify there domain\username

3. To avoid error message in UI when you tried to save changes, need to change this core setting value.
Example:
Or change it from this place on NS:
C:\ProgramData\Symantec\SMP\Settings\CoreSettings.config
<customSetting key="ScheduleManagerInterop" type="local" value="1" upgradeIf="ne" />

4. In cases when Domain account always locked by someone, better to create a new domain account and use it as NS AppIdentity... Open Symantec Installation Manager and proceed with steps shown in previous comments above to apply new AppIdentity account.

Or reinstall agents on client computers as suggested in this KB https://knowledge.broadcom.com/external/article/157377/application-identity-account-lockout.html

Best regards,
IP.

Hi Igor ,
Our client machines are constantly trying to connect to the NS child server and do not have an updated password. So they are continuously trying to contact NS with wrong password which is causing account locking again and again.
The Altiris account password NS clients (field systems) are using to connect back to the NS (Altiris child servers) contains incorrect password information.
Also plz tell me how can we update new password for all client machines in one go so that all machine connect with updated password whenever they connect to notification server.Let me know if we use the option Use these credentials & update here the new password then client machines will try contacting with the new password or not . Also how can we enter the username : username or Domain\username .

Also let us know the resolution of error that we are getting in the attached screenshot . 

Hi Shiv Choudhary!

1. When this account locking started? Was there recently password change in AD for this Domain account?
https://knowledge.broadcom.com/external/article/237958/authentication-connectivity-credential-a.html
https://knowledge.broadcom.com/external/article/157377/application-identity-account-lockout.html

2. What version of SMP/Asset Management solution you have?

3. If current NS AppIdentity account (domain account) recently changed password in AD, then need to check other place in SMP Console to make sure that this account wasn't manually specified with previous old password (if yes, need to type there a new password and save changes)

- If You have Hierarchy, right click on NS > edit and update password if there are used manual credentials

- Also if there are stand-alone replication rules with manual credentials specified, need to review them and update password if there is affected Account is used.

- Possible that there are some tasks which has domain account specified to "run as" and there is an old password used which causes account lock

   Here is a KB where you can check which tasks have a custom credentials specified and review them for affected domain account
    https://knowledge.broadcom.com/external/article?articleId=170069

- If you are using "CEM Gateway" and there is NS AppIdentity account is specified to send report data to your Notification Server, then need to open "Gateway Manager UI" on Gateway server and specify there new Domain Account password.

- Check AD Import rules, if they have manually specified this domain account there

- Check "Connection Profiles" for different protocols which are used for Network Discovery tasks, Agentless Monitoring, Virtual Machine Management solution.

- When your Domain Account password was changed in AD, did you open a Symantec Installation Manager and specified there a new password and configured it?

Best regards,
IP.