When our users change their AD password, they immediately will lock & unlock Windows to make sure the new password took, and that what they think they changed it to, is exactly what they changed it to. They also have been told to sign out of GlobalProtect and sign back in, so that GlobalProtect will be configured to use the new creds going forward. However, while the password change in AD has been working great, GP has not been keeping up with the changes. Some users will lock their accounts trying to use their new passwords in GlobalProtect. Others will give up and try the old one, which works until the next time they connect and then it fails and locks the account in AD. This happens all too frequently. We use the User-ID Agent on Active Directory Windows 2016 servers. Our PA is 9.1.8, our agents are 9.1.2-9 and GlobalProtect is 5.1.5.
1. is this a known issue with GP? we've been seeing it for over a year.
2. does GP and/or PA cache our user's credentials? if so, can we disable that feature? and if we can, is there a downside to doing that as well? we want every GP connection to check our domain controllers for proper credentials, every time (if there isnt a significant downside).