Return
-
Title
ODM AD service account is being constantly locked -
Description
ODM AD service account is being constantly locked -
Cause
Service account's credentials are stored locally in encrypted format in dirsync machines' registry, -
Resolution
Investigate source of lockouts using PDC, Event Viewer where auditing was enabled. This article provides step by step instructions how to find that:
Find the source of AD account lockouts – 4sysops
There are 2 possible places where service account lockout is happening:
1) dirsync agent machine in the same domain
2) dirsync agent machine in the target domain, if current domain is the source
When dirsync agent is installed, password is encrypted and cached locally in the registry. To resolve that, simply uninistall and reinstall the agent, re-typing the correct password.
In the second case, source service account can be specified in the target domain dirsync agent for SIDHistory purposes. It's also cached and stored locally in the registry.
As a general rule, please avoid changing service accounts' passwords during the migration period. It's also recommended to exclude those accounts from password expiration GPOs.