1. PDQ Deploy & Inventory Help Center
  2. Community
  3. PDQ Deploy
 

Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Scan account locking up on some computers during PDQ deploy

Avatar
Jørn Rønne Gaarde

We've been using PDQ Inventory and Deploy for more than a year, and it's been working almost without flaw.

Lately however (I believe since v18), we've been having a problem where the scan account gets locked out during PDQ deploy. I had it happen on one PC a few weeks ago: Every time I deployed a random package to this specific PC, the domain scan/deploy account would get locked out. Meanwhile the same packages install without any problem on every other PC (we've got ~700 PC's). Since this was a test-machine, I figured it was a fluke and simply took it it out.

Last week however, the very same problem happened with a production machine, and the problem is still the same this morning, meaning I cannot distribute to this PC.

The problem is persistent and can be replicated every time on the PC. I tried restarting the PDQ server, and restarting the PC. Problem persists.

I tried upgrading from the latest v18 to v19.0.40.0. However problem is the same.

Both PC'a affected (so far) are Windows 10.

How do I troubleshoot this? Is there any log from Deploy I can check.

 

1

Comments

3 comments
Date Votes
  • Avatar
    Colby Bouma

    Is the account getting locked out in AD, or just the affected machines?

    As far as logs, there are a few in "C:\Windows\AdminArsenal" and the Event Log.

    1
  • Avatar
    Jørn Rønne Gaarde

    It's getting locked in the AD, which is a problem since then nothing works anymore.

    I found out that the account was getting locked out at the exact time the PDQ packet attempts to pull the software from the server via the UNC path.

    Turns out the problem is that we were accessing the server via a DNS CNAME alias, alas the server has a real servername but we access it via it's DNS alias called \\pdq.

    Apparently with Windows 10 this is no longer permitted, so we removed the DNS CNAME record and added the computer account via the NETDOM <name> /ADD command as per Microsofts instructions in https://support.microsoft.com/en-us/help/3181029/smb-file-server-share-access-is-unsuccessful-through-dns-cname-alias.

    After this no more lockups :)

    I still think it's odd that this causes PDQ to lock out the account - but now you know if you get a similar case :)

    1
  • Avatar
    Nussbaum

    We have the exact same issue. Does PDQ know why this started locking out the scan account as of version 18?

    1