[41151] in Resnet-Forum
Re: Exchange and ActiveSync
daemon@ATHENA.MIT.EDU (Lightbody, Erik J)
Thu Apr 14 15:04:14 2016
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_83915F7DB5BB9A48AD5AC78CAB4BDF3C0180492C27SMCEXMBX03mik_"
MIME-Version: 1.0
Message-ID: <83915F7DB5BB9A48AD5AC78CAB4BDF3C0180492C27@SMCEXMBX03.mikenet.smcvt.edu>
Date: Thu, 14 Apr 2016 19:03:17 +0000
Reply-To: Resnet Forum <RESNET-L@LISTSERV.ND.EDU>
From: "Lightbody, Erik J" <elightbody@smcvt.edu>
To: RESNET-L@LISTSERV.ND.EDU
In-Reply-To: <C9753E8B40870A488B0D4E8D50FAC15A44226606@Messenger9.central.edu>
--_000_83915F7DB5BB9A48AD5AC78CAB4BDF3C0180492C27SMCEXMBX03mik_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Sandra,
So first, a little background on how I track down devices that lock out acc=
ounts:
We use a combination of tools to find what device is locking out accounts. =
First, I use the Lockout Status tool from Mircosoft: https://www.microsoft.=
com/en-us/download/details.aspx?id=3D15201 This shows you which Domain Cont=
roller the account is locked out on. Then, check out the Security Logs on t=
hat Domain Controller (Start Menu-->Right click on Computer-->Manage-->Even=
t Viewer-->Windows Logs-->Security). Filter the log to the exact time, down=
to the second, specified in the Lockout Status tool. You'll likely have a =
number of entries (usually there are a few hundred), so I usually sort by e=
vent type after filtering. "User Account Management" is the event type you'=
re looking for. Open the entry and scroll down-it will show you the referen=
ced account name, state that it has been locked out, and show you the "call=
er computer name". That "caller computer name" is what you're looking for-i=
t will either show a known domain machine, an end-user computer ("Erik's-PC=
" or "Eriks-MacBookPro" for example), or just a blank field. If it's blank =
it usually means it's a mobile device of some kind.
Once it's established that it's a mobile device, I remove all references to=
that account name. For us that means Exchange email and saved connections =
to our 802.1x wifi networks. Don't bother trying to update the passwords-re=
move the account all together, and "forget" the wifi network. Since you're =
using O365 I would sign out of any apps using that account, and make sure t=
o check their browsers for saved passwords as well. Once the lock outs stop=
, add back one service at a time. Most of these devices don't have a "keych=
ain" or similar service that centrally stores the credentials-you'll have t=
o go app by app.
Hope this helps, if you have any questions please let me know,
Erik Lightbody
Assistant Director - Technical Services
Saint Michael's College
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Sandy Ver=
hoef
Sent: Thursday, April 14, 2016 12:26 PM
To: RESNET-L@LISTSERV.ND.EDU
Subject: Exchange and ActiveSync
We are looking for a reason/solution to the following problem:
Our campus uses an Exchange server, and we allow users to connect their mob=
ile devices to Exchange to receive their email, and Active Directory to aut=
henticate. In the past few months, we are getting users locked out of their=
accounts, and we have traced it back to their mobile devices using ActiveS=
ync. It 'looks' like their mobile devices are using old passwords. We know =
this because if the user reenters the current password, then the 'locked' i=
ssues stop. SO, are there cached passwords that are being used, and if so, =
where are these stored. We are seeing this on Android devices, and iPads an=
d iPhones. HOWEVER, not all users are affected.
Other items: Around the same time these items started, we implemented a sel=
f serve password management program called PortalGuard. Also, we started wo=
rk on implementing Office 365.
Thank you to any that can offer ideas or solutions!
SANDRA VERHOEF
Director of Computer Support Services | Central College
812 University Street |Campus Box 5500 |Pella, Iowa 50219
verhoefs@central.edu<mailto:verhoefs@central.edu> |www.central.edu<http://w=
ww.central.edu/>
Office: 641.628.7692|Fax: 641.628.5316
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_83915F7DB5BB9A48AD5AC78CAB4BDF3C0180492C27SMCEXMBX03mik_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><a name=3D"_MailEndCompose"><span style=3D"color:#1F=
497D">Sandra,<o:p></o:p></span></a></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">So first, a little bac=
kground on how I track down devices that lock out accounts:<o:p></o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">We use a combination o=
f tools to find what device is locking out accounts. First, I use the Locko=
ut Status tool from Mircosoft:
</span><a href=3D"https://www.microsoft.com/en-us/download/details.aspx?id=
=3D15201">https://www.microsoft.com/en-us/download/details.aspx?id=3D15201<=
/a><span style=3D"color:#1F497D"> This shows you which Domain Controller th=
e account is locked out on. Then, check out
the Security Logs on that Domain Controller (Start Menu</span><span style=
=3D"font-family:Wingdings;color:#1F497D">à</span><span style=3D"colo=
r:#1F497D">Right click on Computer</span><span style=3D"font-family:Wingdin=
gs;color:#1F497D">à</span><span style=3D"color:#1F497D">Manage</span=
><span style=3D"font-family:Wingdings;color:#1F497D">à</span><span s=
tyle=3D"color:#1F497D">Event
Viewer</span><span style=3D"font-family:Wingdings;color:#1F497D">à<=
/span><span style=3D"color:#1F497D">Windows Logs</span><span style=3D"font-=
family:Wingdings;color:#1F497D">à</span><span style=3D"color:#1F497D=
">Security). Filter the log to the exact time, down to
the second, specified in the Lockout Status tool. You’ll likely have=
a number of entries (usually there are a few hundred), so I usually sort b=
y event type after filtering. “User Account Management” is the =
event type you’re looking for. Open the entry and
scroll down—it will show you the referenced account name, state that=
it has been locked out, and show you the “caller computer name”=
;. That “caller computer name” is what you’re looking for=
—it will either show a known domain machine, an end-user computer (&#=
8220;Erik’s-PC”
or “Eriks-MacBookPro” for example), or just a blank field. If =
it’s blank it usually means it’s a mobile device of some kind.
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Once it’s establ=
ished that it’s a mobile device, I remove all references to that acco=
unt name. For us that means Exchange email and saved connections to our 802=
.1x wifi networks.
<b>Don’t bother trying to update the passwords</b>—remove the a=
ccount all together, and “forget” the wifi network. Since you&#=
8217;re using O365 I would sign out of any apps using that account, and mak=
e sure to check their browsers for saved passwords as well. Once
the lock outs stop, add back one service at a time. Most of these devices =
don’t have a “keychain” or similar service that centrally=
stores the credentials—you’ll have to go app by app.<o:p></o:p=
></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Hope this helps, if yo=
u have any questions please let me know,<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<div>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Erik Lightbody<o:p></o=
:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Assistant Director =
211; Technical Services<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Saint Michael’s =
College<o:p></o:p></span></p>
</div>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b>From:</b> Resnet Forum [mailto:RESNET-L@LISTSERV.=
ND.EDU] <b>
On Behalf Of </b>Sandy Verhoef<br>
<b>Sent:</b> Thursday, April 14, 2016 12:26 PM<br>
<b>To:</b> RESNET-L@LISTSERV.ND.EDU<br>
<b>Subject:</b> Exchange and ActiveSync<o:p></o:p></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">We are looking for a reason/solution to the followin=
g problem:<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Our campus uses an Exchange server, and we allow use=
rs to connect their mobile devices to Exchange to receive their email, and =
Active Directory to authenticate. In the past few months, we are getting us=
ers locked out of their accounts,
and we have traced it back to their mobile devices using ActiveSync. It &#=
8216;looks’ like their mobile devices are using old passwords. We kno=
w this because if the user reenters the current password, then the ‘l=
ocked’ issues stop. SO, are there cached passwords
that are being used, and if so, where are these stored. We are seeing this=
on Android devices, and iPads and iPhones. HOWEVER, not all users are affe=
cted.<o:p></o:p></p>
<p class=3D"MsoNormal"><br>
Other items: Around the same time these items started, we implemented a sel=
f serve password management program called PortalGuard. Also, we started wo=
rk on implementing Office 365.
<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Thank you to any that can offer ideas or solutions!<=
o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal"><b><span style=3D"font-size:14.0pt;color:#C00000">SA=
NDRA</span></b><b><span style=3D"font-size:14.0pt;color:red">
</span></b><b><span style=3D"font-size:14.0pt;color:gray">VERHOEF</span></b=
><span style=3D"color:gray"><br>
Director of Computer Support Services </span><span style=3D"color:#7F7F7F">=
| </span>
<span style=3D"color:gray">Central College<br>
812 University Street </span><span style=3D"color:#7F7F7F">|</span><span st=
yle=3D"color:gray">Campus Box 5500</span><span style=3D"color:#7F7F7F"> |</=
span><span style=3D"color:gray">Pella, Iowa 50219<br>
<br>
</span><span style=3D"color:#2E74B5"><a href=3D"mailto:verhoefs@central.edu=
">verhoefs@central.edu</a> |<a href=3D"http://www.central.edu/"><span style=
=3D"color:#2E74B5">www.central.edu</span></a><o:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><span style=3D"color:=
gray">Office: 641.628.7692</span><span style=3D"color:#7F7F7F">|</span><spa=
n style=3D"color:gray">Fax: 641.628.5316</span><o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal"><span style=3D"font-size:12.0pt;font-family:"Ti=
mes New Roman",serif">________________________________________________=
___ You are subscribed to the ResNet-L mailing list.
<o:p></o:p></span></p>
<p>To subscribe, unsubscribe or search the archives, go to <a href=3D"http:=
//LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">
http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _________________________=
__________________________
<o:p></o:p></p>
</div>
</body>
</html>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
--_000_83915F7DB5BB9A48AD5AC78CAB4BDF3C0180492C27SMCEXMBX03mik_--
