How the "Re-enable the created local account if it has been locked out" setting works

book

Article ID: 150951

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

 

Resolution

The customer is using a Local account for ACC (Agent Connectivity Credential). He has enable "Create the Agent Connectivity Credential on Site Servers" and "re-enable the created local account if it has been locked out" in "Global Site Server Settings>Security Settings" (under Settings>Notification Server>Site Server Settings>Task Service)

The following information has been compiled based on multiple questions about the topic.

QUESTION:
How this "re-enable the created local account if it has been locked out" setting works? If enabled, does this setting will unlock the ACC account automatically?.

ANSWER:

Account enablement is done by the Symantec Management Agent (SMA). The Symantec Management Platform (SMP) as Site Server gets the same settings that must trigger this unlock process.

The SMA has the functionality to manage and unlock local ACC accounts if it is a Site Server and appropriate policy exist.

The prerequisites for Unlock to happen:

  1. SID or username or password is changed.
  2. Account is local (do not contain the '\' in account name).
  3. Account is not disabled.

The whole process is triggered in three cases:

  1. SMA (re)starts.
  2. Policy values related to ACC account are changed.
  3. "ACC Refresh" interval is due.

The last one is 6 hours by default. The interval value is taken from registry:
HKLM\SOFTWARE\Altiris\Altiris Agent\Servers\
Value (DWORD key):
"Agent Connectivity Credentials Refresh Interval (mins)".
Minimum value is 1 minute, maximum is 2 weeks.

After refresh, the next refresh time is stored into the registry key (under HKLM\SOFTWARE\Altiris\Altiris Agent\Servers\) :
"Next Agent Connectivity Credentials Refresh".

The logging related to Unlock (and other ACC related actions) is marked with "Source": "SiteServerAction".


QUESTION:

In regards Value: "Agent Connectivity Credentials Refresh Interval (mins)"
Do we need to create this Reg Key if it doesn't exist?   
Is this the interval that unlocks the ACC??

ANSWER:

The value "Agent Connectivity Credentials Refresh Interval (mins)" do not exist by default, since we just use the hard coded default of 6 hours. If you want to specify other value, then create this entry.

If ACC is a domain account, or specified with a domain name, then SMA do not manage such accounts: means it will not create such, neither unlock or refresh.

It works as follows:

  1. Agent every "run cycle" (1-2 minutes) checks whether it should do the ACC refresh.
  2. For that it checks the value: "Next Agent Connectivity Credentials Refresh". If due, then it refreshes and put a new time there, based on the "Agent Connectivity Credentials Refresh Interval (mins)".

So if you just changed the second one, it will not trigger the next refresh earlier than it was planned before. If you want to trigger the refresh immediately, put the first one to some datetime in the past (or delete it)


QUESTION:

If we want to change the unlock frequency, we just need to create "Agent Connectivity Credentials Refresh Interval (mins)" regkey and add the desired value, right?

ANSWER:

Yes this will help and after next planned refresh the new interval will be taken into account. If you want to "apply" new interval ASAP, then add the "Agent Connectivity Credentials Refresh Interval (mins)" value and change the "Next Agent Connectivity Credentials Refresh" (or delete it).

 

FEW THINGS TO CONSIDER:

  1. The custom value for "Agent Connectivity Credentials Refresh Interval (mins)" (HEX) is respected, BUT already scheduled "Next Agent Connectivity Credentials
    Refresh" is not overridden and still remain scheduled for default + 6h. So if custom value needs to be activated ASAP - key to be removed manually, otherwise
    it will be activated after currently scheduled time (6h).

  2. Refresh key value is not precisely respected, like in my case value
    was 2 minutes, after scheduled refresh at 16:07 new value was set to 16:10, while 16:09 expected.



    IMPORTANT:
    The unlock feature is intended to be used in rare cases when account is locked and not intended to be a cure for some misconfigurations when someone is locking it constantly or very often (that is why 6 hours is a default). Need to search for a root cause of account locking on NS.

Attachments