Windows 2003 SBS with SP2 services lose authentication randomly and at reboot

Problem: after a reboot or after a random period of time the passwords for the accounts use to run services seem to corrupt, vanish, or change inexplicably. The password still shows to be there in the service properties but if the service stops, or is stopped, it will give a logon error when a start is attempted. When you put the password back in it is fine. If you restart right after you put the password in it restarts fine. Only after time...

This seems to only affect services that require a user account for Authentication. Being SBS it is of course a DC. It also hosts Exchange 2003 SP2, and the latest Blackberry Server Express. The Blackberry services are the ones that usually have the issue and are currently using the BESAdmin account specifically created for it. However it does the same thing using Administrator and other domain admin accounts. It does this on other services than Blackberry as well.

We cannot use Local System, or any other generic account unfortunately for any of the services. I did change those I could and we have no longer had any issues for those services. I cannot seem to find anyone else with this issue. Any ideas?

olygrahamAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin OwensITIL Problem ManagerCommented:
Those services should be using the BESAdmin account.  It should have the necessary rights on your DC and also have a password set to not expire.  It also needs to be granted permission to interact with the machine.  Do you see any events in your logs when this happens?

Justin
0
comphilCommented:
That's a really odd one and no mistake.  So does the problem not happen if you use the BESAdmin account on the Blackberry services or am I misreading that bit?

A few things to try - set a service to use the Local System account, restart the service and then change it back to a user again - then restart the service once more.  Make sure that user's password is not set to expire.

Second, check Group Policy settings for Local Security settings.  One post on Technet refers to a similar problem and the fix appeared to be related to this ("someone modified my Group Policy settings to remove the accounts from the Local Security Settings").

My first port of call would be the Windows event log for any clues, particularly the System, Application and Security logs (the last is huge and may take a bit of trawling through to find anything that might be relevant assuming you know an approx. date and time when it last happened).
0
comphilCommented:
Sorry Justin didn't mean to override your reply you got yours in while I was writing mine!
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

Justin OwensITIL Problem ManagerCommented:
No worries... Refresh strikes us all from time to time.
0
olygrahamAuthor Commented:
done
0
Justin OwensITIL Problem ManagerCommented:
Author requests a refund but never answered either questions asked by the two participating Experts after almost two months.  If the Author wants to delete the Question, that is his/her business, but if he/she wants a refund of points, he/she should respond to the Experts.
0
Justin OwensITIL Problem ManagerCommented:
This seems to be the case of an Author trying to clear a Question he/she abandoned.  My first choice would be for the Author to interact with the Experts and actually resolve the Question.  My second choice would be for the Author to post the actual resolution and accept it as a 0 point answer.  My third choice would be to delete the Question with no refund, as we normally would an abandoned Question.
0
olygrahamAuthor Commented:
Well - first - am unsure of how to just end the questions as I resolved it myself.  The issue really lies at the core of AD in the domain permissions
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
comphilCommented:
Could you expand on exactly what the resolution to this problem was?  I am intrigued as I've never come across this particular problem before, it'd be useful to have it recorded here for anyone else who comes across the same problem.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.