The Altiris Administrator is using a Local account for ACC (Agent Connectivity Credential). He has enabled "Create the Agent Connectivity Credential on Site Servers" and "Re-enable the created local account if it has been locked out" that is found in the SMP Console under Settings > Notification Server > Site Server Settings > Site Management > Site Server Settings > Global Site Server Settings > Security Settings:
How does the "Re-enable the created local account if it has been locked out" setting work? If enabled, does this setting unlock the ACC account automatically?.
ITMS 8.x
Account enablement is done by the Symantec Management Agent (SMA). The Symantec Management Platform (SMP) as Site Server gets the same settings that must trigger this unlock process.
The SMA has the functionality to manage and unlock local ACC accounts if it is a Site Server and appropriate policy exist.
The prerequisites for Unlock to happen:
The whole process is triggered in three cases:
The last one is 6 hours by default. The interval value is taken from registry key HKLM\SOFTWARE\Altiris\Altiris Agent\Servers\ with Value (DWORD key) "Agent Connectivity Credentials Refresh Interval (mins)":
NOTE: The logging related to Unlock (and other ACC related actions) is marked with "Source": "SiteServerAction".
QUESTION:
In regards Value "Agent Connectivity Credentials Refresh Interval (mins)":
ANSWER:
The value "Agent Connectivity Credentials Refresh Interval (mins)" does not exist by default, since it just uses the hard coded default of 6 hours. If you want to specify another value, then create this entry.
If the ACC is a domain account, or specified with a domain name, then the SMA does not manage such accounts. This means it will not create, unlock, or refresh these accounts.
This works as follows:
So if you just changed the second one above, it will not trigger the next refresh earlier than it was planned before. If you want to trigger the refresh immediately, put the first one above to some date/time in the past (or delete it).
QUESTION:
If we want to change the unlock frequency, you just need to create the "Agent Connectivity Credentials Refresh Interval (mins)" regkey and add the desired value.
ANSWER:
This will help and after the next planned refresh the new interval will be taken into account. If you want to "apply" a new interval ASAP, then add the "Agent Connectivity Credentials Refresh Interval (mins)" value and change the "Next Agent Connectivity Credentials Refresh" (or delete it).
HERE ARE A FEW THINGS TO CONSIDER:
The custom value for "Agent Connectivity Credentials Refresh Interval (mins)" (HEX) is respected, BUT the already scheduled "Next Agent Connectivity Credentials
Refresh" is not overridden and still remains scheduled for the default of 6 hours. So, if your custom value needs to be activated ASAP then the key to accomplisht this would be to remove it manually, otherwise
it will be activated after the currently scheduled time (6 hours).
IMPORTANT: The unlock feature is intended to be used in rare cases when the account is locked; this is NOT intended to be a cure for some misconfigurations like when some account is locking it constantly or very often (that is why 6 hours is the default). If this is occuring then you need to search for the root cause of the account locking on the Notification Server.