How the "Re-enable the created local account if it has been locked out" setting works
search cancel

How the "Re-enable the created local account if it has been locked out" setting works

book

Article ID: 150951

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

The Altiris Administrator is using a Local account for ACC (Agent Connectivity Credential). He has enabled "Create the Agent Connectivity Credential on Site Servers" and "Re-enable the created local account if it has been locked out" that is found in the SMP Console under Settings > Notification Server > Site Server Settings > Site Management > Site Server Settings > Global Site Server Settings > Security Settings:

How does the "Re-enable the created local account if it has been locked out" setting work? If enabled, does this setting unlock the ACC account automatically?.

Environment

ITMS 8.x

Resolution

Account enablement is done by the Symantec Management Agent (SMA). The Symantec Management Platform (SMP) as Site Server gets the same settings that must trigger this unlock process.

The SMA has the functionality to manage and unlock local ACC accounts if it is a Site Server and appropriate policy exist.

The prerequisites for Unlock to happen:

  1. SID or username or password is changed.
  2. Account is local (do not contain the '\' in account name).
  3. Account is not disabled.

The whole process is triggered in three cases:

  1. SMA (re)starts.
  2. Policy values related to ACC account are changed.
  3. "ACC Refresh" interval is due.

The last one is 6 hours by default. The interval value is taken from registry key HKLM\SOFTWARE\Altiris\Altiris Agent\Servers\ with Value (DWORD key) "Agent Connectivity Credentials Refresh Interval (mins)":

  • Minimum value is 1 minute, maximum is 2 weeks.
  • After refresh, the next refresh time is stored into the registry key HKLM\SOFTWARE\Altiris\Altiris Agent\Servers\ at "Next Agent Connectivity Credentials Refresh".

NOTE: The logging related to Unlock (and other ACC related actions) is marked with "Source": "SiteServerAction".


QUESTION:

In regards Value "Agent Connectivity Credentials Refresh Interval (mins)":

  • Do we need to create this Reg Key if it doesn't exist?
  • Is this the interval that unlocks the ACC?

ANSWER:

The value "Agent Connectivity Credentials Refresh Interval (mins)" does not exist by default, since it just uses the hard coded default of 6 hours. If you want to specify another value, then create this entry.

If the ACC is a domain account, or specified with a domain name, then the SMA does not manage such accounts.  This means it will not create, unlock, or refresh these accounts.

This works as follows:

  1. The SMA, every "run cycle" (1-2 minutes) checks whether it should do the ACC refresh.
  2. The SMA checks the value of "Next Agent Connectivity Credentials Refresh". If this timeframe is due, then it refreshes and will put a new time there, based on the "Agent Connectivity Credentials Refresh Interval (mins)" setting.

So if you just changed the second one above, it will not trigger the next refresh earlier than it was planned before. If you want to trigger the refresh immediately, put the first one above to some date/time in the past (or delete it).

 

QUESTION:

If we want to change the unlock frequency, you just need to create the "Agent Connectivity Credentials Refresh Interval (mins)" regkey and add the desired value.

ANSWER:

This will help and after the next planned refresh the new interval will be taken into account. If you want to "apply" a new interval ASAP, then add the "Agent Connectivity Credentials Refresh Interval (mins)" value and change the "Next Agent Connectivity Credentials Refresh" (or delete it).

 

HERE ARE A FEW THINGS TO CONSIDER:

  1. The custom value for "Agent Connectivity Credentials Refresh Interval (mins)" (HEX) is respected, BUT the already scheduled "Next Agent Connectivity Credentials
    Refresh" is not overridden and still remains scheduled for the default of 6 hours. So, if your custom value needs to be activated ASAP then the key to accomplisht this would be to remove it manually, otherwise
    it will be activated after the currently scheduled time (6 hours).

  2. The refresh key value is not precisely respected.

 

 

IMPORTANT: The unlock feature is intended to be used in rare cases when the account is locked; this is NOT intended to be a cure for some misconfigurations like when some account is locking it constantly or very often (that is why 6 hours is the default). If this is occuring then you need to search for the root cause of the account locking on the Notification Server.