none
Preventing automation task failure because of account lockout. RRS feed

  • Question

  • Hello,

    In my environment, there is service account used to perform AD related operations tasks(Adding/removing users from groups) via automation called by Service Now. What I observed in couple of days that automation task is failing because of that service account lockout.

    I need to know can I do something to prevent locking out of the account so that AD related operations tasks are completed via automation.

    Any suggestion or approach?


    G-ONE

    Saturday, July 11, 2020 2:16 AM

All replies

  • If the service user gets locked out, you need to troubleshoot, find the task or service that is using a wrong password and correct that.

    In the meantime you can define a Fine Grained Password Policy for that account that has lockout disabled.


    Evgenij Smirnov

    http://evgenij.smirnov.de

    Saturday, July 11, 2020 12:49 PM
  • If the service user gets locked out, you need to troubleshoot, find the task or service that is using a wrong password and correct that.

    In the meantime you can define a Fine Grained Password Policy for that account that has lockout disabled.


    Evgenij Smirnov

    http://evgenij.smirnov.de

    What exactly do you want me to achieve with defining fine grained password policy and how it will prevent lockout of the service account? Will this permanently disable lockout of the account?

    Please reply and explain. 

    G-ONE

    Saturday, July 11, 2020 2:06 PM
  • If you permanently assign a FGPP with lockout disabled to an account, it will permanently disable lockout for that account ;-)

    It will not, however, change the fact that on some system in your environment this account is configured with an incorrect password. You need to find that place and correct the error because the account has probably been put there for a reason, and whatever it was, it's not working now. So my advice is, find the system that is causing trouble (NetWrix Lockout examiner can be a great help here) and remediate the root cause.


    Evgenij Smirnov

    http://evgenij.smirnov.de

    Saturday, July 11, 2020 2:19 PM
  • If you permanently assign a FGPP with lockout disabled to an account, it will permanently disable lockout for that account ;-)

    I agree you should fix the underlying problem instead. Account lockout is in place to prevent brute force attacks and should not be disabled.

    Miguel Fra
    Falcon IT Services
    https://www.falconitservices.com

     

    Saturday, July 11, 2020 3:18 PM
  • Hello,

    Thank you for posting in our TechNet forum.

    Just checking in to see if the provided information was helpful. If the replies as above are helpful, we would appreciate you to mark them as answers. 

    If we would like to configure the specific account not locked, we could enable Fine-Grained Password Policies (FGPP) and set the number of failed logon attempts to 0. 



    For more information, we could refer to: 
    https://docs.microsoft.com/en-us/archive/blogs/canitpro/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad

    For any question, please feel free to contact us.


    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 13, 2020 5:43 AM
  • If you permanently assign a FGPP with lockout disabled to an account, it will permanently disable lockout for that account ;-)

    It will not, however, change the fact that on some system in your environment this account is configured with an incorrect password. You need to find that place and correct the error because the account has probably been put there for a reason, and whatever it was, it's not working now. So my advice is, find the system that is causing trouble (NetWrix Lockout examiner can be a great help here) and remediate the root cause.


    Evgenij Smirnov

    http://evgenij.smirnov.de

    I agree with you that I must fix underlying cause of account lockout. Could you please share what settings you want me to configure for Service accounts in Fine Grained Password policy? How it will help me preventing or mitigating risk of Service account lockout?

    Is there any other way to tackle this problem e.g. auditing of Service account lockout event and sending email notification? If yes, then how can I do this?

    Please explain step by step.

    G-ONE

    Tuesday, July 14, 2020 6:12 PM
  • Hello,

    Thank you so much for your feedback.

    As mentioned before, we could configure FGPP to disable lockout for the service account. For more information, we could refer to my previous response.

    As for how to audit account lockout and send email notification, we could refer to the below articles. 
    Audit Account Lockout
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319074(v=ws.11)

    How to send account lockout email notification
    https://gallery.technet.microsoft.com/scriptcenter/How-to-send-account-cdae5b39

    Hope the information is helpful. For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 16, 2020 5:22 AM
  • Hello,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    Thank you so much for your time and support.

    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 20, 2020 1:58 AM
  • Hello,

    Since the thread is quite for days, can we think that it is fixed? If that is the case, please "mark it as answer" to help other community members find the helpful reply quickly. And we’d love to hear your feedback about the solution if you solve it by own method.

    Thanks for your understanding and efforts.

    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 23, 2020 1:53 AM