SophosUpdateMgr account keep locked

hi guys, I appear to having a similar issue. Just a quick background The recent update that killed the update tool for sophos was where it began we had change the sophosupdatemanager account password to which the .cfg files were updated. The thing is the old passwd has been in the fleet for a looong time and we are now having account lockouts to which I can't determine the source. A quick trace started with the domain controllers which pointed to the sophos AV server (management console server) looking at the eventvwr logs within there shows the account being locked out but the source is where things disappear: here is an example of the event log -------------------------------------------------------------------------------------------------------- An account failed to log on. Subject: Security ID: NETWORK SERVICE Account Name: SophosAVServer01$ Account Domain: CORP Logon ID: 0x3e4 Logon Type: 8 Account For Which Logon Failed: Security ID: NULL SID Account Name: SophosUpdateMgr Account Domain: CORP Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x1554 Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe Network Information: Workstation Name: SophosAVServer01 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 -------------------------------------------------------------------------------------------------------- as you can see it is coming from hte IIS .exe. I am unable to determine what is trying to authenticate to IIS that is causing the lockout of the AD account. Perhaps, is there a way to see what 'clients' or IP is attempting to authenticate to IIS so I can see which clients need a policy update to their new password? it's happening about the same time every 2hours.

hi guys, I appear to having a similar issue. Just a quick background The recent update that killed the update tool for sophos was where it began we had change the sophosupdatemanager account password to which the .cfg files were updated. The thing is the old passwd has been in the fleet for a looong time and we are now having account lockouts to which I can't determine the source. A quick trace started with the domain controllers which pointed to the sophos AV server (management console server) looking at the eventvwr logs within there shows the account being locked out but the source is where things disappear: here is an example of the event log -------------------------------------------------------------------------------------------------------- An account failed to log on. Subject: Security ID: NETWORK SERVICE Account Name: SophosAVServer01$ Account Domain: CORP Logon ID: 0x3e4 Logon Type: 8 Account For Which Logon Failed: Security ID: NULL SID Account Name: SophosUpdateMgr Account Domain: CORP Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x1554 Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe Network Information: Workstation Name: SophosAVServer01 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 -------------------------------------------------------------------------------------------------------- as you can see it is coming from hte IIS .exe. I am unable to determine what is trying to authenticate to IIS that is causing the lockout of the AD account. Perhaps, is there a way to see what 'clients' or IP is attempting to authenticate to IIS so I can see which clients need a policy update to their new password? it's happening about the same time every 2hours.