K
Kiowa
In a large domain I see a certain type of account lockout 'situation.' I'm unable to get solid proof and have only been able to speculate and present the idea with supporting artifacts. The issue that occurs is that a user gets locked out of their account for no known common reason that they can identify. The users have been business side so they're not running services. I believe that they are sharing a mailbox with someone and that person is the source of the credential issues. I could provide a big amount of details here but perhaps it would be easier if someone knows what takes place in authentication with shared mailboxes and how it would be logged in the security logs. Or if someone has seen this situation and resolved the workflow and identified the issue. What would the event log trail look like? Is this even a possible situation? I've followed the kerberos ticket around. If an admin is accessing a higher up's mailbox how can they be identified in locking out their direct report? I don't have access to exchange to see who is sharing. Accounts, sharing, exchange, authentication.
Continue reading...
Continue reading...