• State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 45 subscribers
  • Views 929 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

NPM Attempting to access a local user account on windows servers and locking it every poll

acurrent

NPM is locking a local user account on all windows servers.

I determined it is the npm module doing this as the events continued when app monitors were removed. I unmanaged one impacted node and noticed the events stopped, once managed it gets locked out every 30 minutes from its polling engine. The local user account is disabled and has nothing to do polling as a service account is specifically used for polling.

Why does NPM polling attempt to access local server accounts? I have opened a ticket with SolarWinds but so far nothing.

Parents
  • 0

    Hi ,

    Are the nodes (Windows servers) being polled by WMI or Agent?
    Can you share which local account is being locked?

  • 0 in reply to Martin_Crothers

    They are being polled by WMI.

    Its the guest account on windows machines that is baked into the OS. Our organization disables it and sometimes renames it but that is the account being impacted.

  • 0 in reply to acurrent

    This would be best handled by opening a support case.  I have a feeling something is configured to poll the guest account (or worse - use it for authentication) and it'll cause problems.

    There's also (albeit a small chance) that someone is trying to log onto the Web Console of the platform with the local server guest's account (COMPUTERNAME\Guest) instead of the native platform's guest account (guest).

  • 0 in reply to KMSigma.SWI

    i have a support case open but not getting much traction so far.

    There are no accounts using this for polling, i turned off app polling to confirm which modules it is that is doing this and it is npm. we have only domain service accounts, no local server accounts in use.

    SolarWinds is trying to access this local server account on every poll within windows devices in our environment spanning multiple domains.

    The account gets locked out every 30 min consistently on a singular device.

    We have 2 SolarWinds instances in an active-active DR situation, so at any point a single windows server is being polled by 2 polling engines. If i unmanage the node in one environment, i can see within the security event log that the other instances polling engine starts getting logged as locking it out.

    It is definitely a systematic attempt within npm polling that is trying to access this guest account. 

    I even attempted deleting the guest account, you have to do it through cmd line as winodws does not allow you to delete the guest account by default. Even after deleting the account logs continue to be generated for the access attempts of the guest account. I'm guessing somewhere are residual objects of the account's existence. 

    I do wonder if other people are seeing this.

     It is event id 470 within the windows security event log.

  • 0 in reply to acurrent

    What platform version are you running?  I'm assuming you already uploaded diagnostics to the support portal?

  • 0 in reply to KMSigma.SWI

    i gave them the sanitized logs they requested but I'm in a secure env so can't give them diagnostics.

    im on version 2023.4.2

  • 0 in reply to acurrent

    Totally understand.  Our Public Sector THWACKsters have specific requirements.  Wish there was a way to check a box for diagnostics to "anonymize" the results.

    Hopefully they give you some good information back.

Reply Children
No Data

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 200,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification SolarWinds Lab Link Customer Portal
About THWACK Blogs Federal & Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2021 SolarWinds Worldwide, LLC. All Rights Reserved.