Cannot Update Service Account Credentials Because the Account is Locked Out
search cancel

Cannot Update Service Account Credentials Because the Account is Locked Out

book

Article ID: 383664

calendar_today

Updated On:

Products

Carbon Black App Control

Issue/Introduction

  • Issues trying to change the service account credentials because the service account is getting locked in Active Directory
  • The account can be unlocked but goes back to being locked

Environment

  • App Control Server: All Supported Versions
  • Windows OS: All Supported Versions

Cause

Typically an account is automatically re-locked in Active Directory when an application or service is repeatedly using outdated/invalid credentials.

Resolution

  1. Temporarily change the service Startup Type to Disabled
    1. Open Services (Start > Run > services.msc > Ok)
    2. Change the Startup Type to Disabled for both
      • Carbon Black App Control Reporter
      • Carbon Black App Control Server
    3. Verify the services are not currently attempting to start and remain stopped.
  2. Temporarily stop the IIS Site and Application Pools
    1. Open IIS Manager > select the server name
    2. From the right-hand menu > Manage Server > Stop
    3. From the left-hand menu > expand server name > select Application Pools
    4. Right click each Application Pool > Stop
      • AppCDownloads
      • DefaultAppPool
  3. Verify the account in Active Directory has not re-locked.
  4. Follow the steps to update the Service Account on the services and IIS accordingly, but do not start any services yet.
  5. Start the services individually before changing the Startup Type
    1. Start the Carbon Black App Control Server.
    2. Verify the service remains running and the account has not re-locked.
    3. Change the Startup Type to Automatic.
    4. Repeat accordingly with the Carbon Black App Control Reporter.
  6. Start the IIS Site and Application Pools
    1. IIS Manager > select server name > right-hand menu > Manage Server > Start.
    2. Expand the server name > Application Pools > start the DefaultAppPool
    3. Verify the Application Pool remains running and the account has not re-locked.
    4. Repeat accordingly with AppCDownloads
  7. Verify the Console is accessible and the account has not re-locked.

Additional Information

  • The security log in the event logs can be used to try to get more information about what is causing the account to get locked
  • The account being locked can cause this error while updating the credentials "The specified password is invalid. Type a new password."
Powered by Wolken Software