?
Solved

How to Solve: Service Accounts Losing Passwords?

Posted on 2011-10-03
9
Medium Priority
?
557 Views
Last Modified: 2012-05-12
Points of My Scenario
1. I am admin of a Windows Server 2003 domain.
2. Member servers use domain accounts to run services for various enterprise applications.
3. Whenever a server restarts, services that depend on a domain account fail to start automatically - eventhough they are configured to start automatically.
4. To temporarily fix this issue, the password for the account has to be re-entered in the "Log On" tab of the service's properties.
How can I ensure that services using these domain accounts automatically start when the relevant member server restarts?
0
Comment
Question by:waltforbes
  • 5
  • 4
9 Comments
 
LVL 2

Expert Comment

by:Aquatone
ID: 36906639
I would make sure those accounts have non-expiring passwords and that those specific accounts cannot, themselves, change the password.
0
 

Author Comment

by:waltforbes
ID: 36906711
To Aquatone:
1. These accounts do have non-expiring passwords.
2. These accounts were NOT configured to prevent users from changing passwords.
3. However, I know that the passwords were not changed because: the original passwords always work when re-entered in the service's "Log On" properties.
Any thoughts - especially on point #3?
0
 
LVL 2

Accepted Solution

by:
Aquatone earned 2000 total points
ID: 36906716
I have had some recent activity where the service account has changed for Remote Desktop Services. Changing it back and rebooting twice (yes twice) did the trick.

Do these accounts needs and have the "Log on as a service" right?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:waltforbes
ID: 36906725
Yes: these accounts do have the "Log on as a service" right (configured by Group Policy). Thanks, though.
0
 
LVL 2

Expert Comment

by:Aquatone
ID: 36906731
What groups are these accounts member of? AD or local accounts?
0
 

Author Comment

by:waltforbes
ID: 36909094
To Aquatone: They are members of the local administrators group for the member server on which the relevant app is deployed.
0
 
LVL 2

Expert Comment

by:Aquatone
ID: 36909693
Ok. That is usually all that is needed but does the app access directory resources? It may need to be a part of the domain for this purpose.
0
 

Author Comment

by:waltforbes
ID: 36909966
To Aquatone:
1. The apps do not access directory resources.
2. Nonetheless, the service accounts are all domain accounts.
3. I place these domain accounts into the local Administrators group of each app server.
4. Remember that the service and application works - as long as the server does not restart.
5. When a restart causes the service to fail, the only action that is required is to re-enter the same password of the service account into the service's properties "Log On" tab.
0
 

Author Closing Comment

by:waltforbes
ID: 36923777
To Aquatone: The accounts did not have the "Log on as a service" right due to cascading GPOs assigned at differing levels of OU. Once this right was set to "Unconfigured" for all cascading OUs, everything worked.
Many thanks, Aquatone - you were right!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question