Archive for September, 2012

Windows Server 2008 UAC and AD account lock-outs

September 1, 2012 Leave a comment

Problem: One of our Active Directory application ID accounts gets periodically locked out for some reason in one of our servers.  This particular application ID is used to run jobs from a command line.  Checking the Windows Event logs didn’t find anything useful as to why such account got periodically locked-out.

Here’s what we found out: Further investigation into the history of the server showed that it used to be on Windows Server 2003, but was just recently upgraded to Windows Server 2008.  The application ID was given Administrator rights, and continued to have the same after the upgrade.

Solution: It was suspected that UAC was preventing the run of the jobs, and such was right.  Repeated attempts to run the job using the application ID failed, and due to such attempts and failures, the account itself got locked-out, AD interpreting it as a failed attempt to connect and authenticate.  There was no UAC when the box was still on Windows Server 2003, and so the application ID, running as an Administrator, was able to execute the jobs successfully, however now in Windows Server 2008, the UAC prevented such.  Turning off UAC (for purposes of investigation) enabled the application ID to run the jobs uninterrupted, and this in turn did not cause a lock-out of the account.

We have yet to figure out how to make the application ID run the jobs with UAC turned on; it doesn’t help that the application ID requires Administrator level privileges to run the jobs. A challenge that we have is the inherent limitation of the commands executed in the jobs themselves, since these are legacy code that is not UAC-friendly.  Ultimately the solution might be found in doing something with the code of the commands so that we don’t have to grant Administrator rights to the application ID that runs the jobs, and consequently we can turn UACK back on.  Until then, this quick and dirty solution is in effect.