Setting a Non-Expiring Password for Office Communications Server Service Accounts
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Author: Dr. Rez
Publication date: December 2009
Product version: Microsoft Office Communications Server 2007 R2
The team I work on recently experienced this problem: After a power failure, we had to restart all our Office Communications Servers. After rebooting, everything seemed fine until we loaded the Office Communications Server administrative tools. We noticed in the administrative tools that several Office Communications Server components (such as the Archiving service) were not running. This was a bit out-of-the-ordinary and somewhat distressing to discover. Nevertheless, we have always lived by the motto, "When life hands you lemons, manually restart the Archiving service." So we dutifully right-clicked the Archiving Server icon and then clicked Start. What happened when we did this? We got the error message shown in Figure 1.
Figure 1. Archiving service error
.jpg "Archiving service error")
After the fourth or fifth try, we began to suspect that "try again" might not be the most helpful advice that Office Communications Server could offer for this problem. We then decided to use the Services snap-in to verify that the problem truly was with the Archiving service. After loading the Services snap-in (to do this type mmc services.msc in the Run dialog box), we noticed that the Archiving service really had stopped. Again we dutifully tried to start the service. Again the service failed to start, but this time we got the error message shown in Figure 2.
Figure 2. Archiving service error from Windows
.jpg "Archiving service error from Windows")
This message gave us more information about the problem: The service did not start because of a logon failure. Armed with this new information, we checked which account the Archiving service was running under (in this case, RTCComponentService), and then checked Active Directory to make sure that the RTCComponentService account was still a valid account. Sure enough, it was.
The bad news was that we still had no idea why we were unable to restart the Archiving service. Next we checked the System event log to see if any events could help us unravel this mystery. Figure 3 shows what we found in the event log.
Figure 3. Event log for Archiving service failure to start
.jpg "Event log for Archiving service failure to start")
After we saw this event log entry, we had a hunch what the problem might be. If you look closely at the event log entry you’ll see the following message:
The RTCLOG service was unable to log on as FABRIKAM\RTCComponentService with the currently configured password due to the following error:
Logon failure: unknown user name or bad password
Unknown user name? That seemed unlikely; after all, we had just verified that RTCComponentService was a valid user name. That left just one possibility: bad password. We had no idea how the password for this account could have been changed, but we went back into Active Directory and changed the password for the RTCComponentService account. We then went back to the Services snap-in and did the following:
Right-clicked the Archiving service, and then clicked Properties.
In the Properties dialog box, on the Log On tab, typed the new password for RTCComponentService in the Password and Confirm password fields, and then clicked OK.
Right-clicked the Archiving service and then clicked Start.
This time the Archiving service started exactly as it was supposed to. Mission accomplished!
Of course, we were thrilled to see the Archiving service back in business. Nevertheless, we remained perplexed: what could have caused the password for the RTCComponentService account to suddenly go bad? It was at that point that we suddenly recalled advice one of our mothers gave us:
"If you only remember one piece of advice, let it be this: it’s always a good idea to use non-expiring passwords for any account that a Windows service runs under. If you don’t, you won’t be able to restart that service if the password expires or if the service stops running for some reason."
Considering this, we hurried back to Active Directory and checked the account properties for RTCComponentService. Turns out that was good advice! The RTCComponentService account did not have a non-expiring password as shown in Figure 4.
Figure 4. RTCComponentService properties
.jpg "RTCComponentService properties")
And that turned out to be the problem. Somewhere along the line, the password for the RTCComponentService account had expired. As long as the Archiving service was running that was fine, because once a service has successfully logged on, it will remain logged on regardless of what happens to the password for the service account. However, the Archiving service stopped running when the power went out. When the computer restarted and the service attempted to restart, it failed because it couldn’t authenticate to Active Directory with an expired password. And keep in mind, there are many services that depend on the RTCComponentService account, in our case it was the Archiving service that we noticed, but anyone using the administrative tools would experience problems.
And that’s all there was to it. After the password was changed in Active Directory and on the service itself everything was fine.
Note
Did we really have to change the password both in Active Directory and on the service itself? For better or worse, yes, we did. Changing the password in Active Directory will not change the password for the individual services. Instead, you must individually change the password for every service that runs under the account in question. In addition, you will have to change the password in Internet Information Services(IIS) if any IIS components are running under this account. In this case, that means changing the password for the Web Components application pools: LSGroupExpAppPool and LSConferencingAppPool (R2).
And yes, now that you mention it, that does sound like a big chore doesn’t it? As it turns out, it is. However, we have no doubt that this process could be automated; we could probably write a script that would change the password in Active Directory and then change the password for each service that runs under that account.
The moral to the story (and we rarely tell a story that doesn’t have a moral) is this: You should configure all your Office Communications Server service accounts to have non-expiring passwords. If you do this, you won’t have services mysteriously stopping (and refusing to restart) any time the service account passwords expire.
Tip
It’s possible that you might have used Group Policy to force all the passwords in your domain to expire after a specified length of time. (How do you do that? In the Group Policy Management Console, edit the Default Domain Policy by expanding Computer Configuration, expanding Security Settings, expanding Account Policies, expanding Password Policy, and then configuring the Maximum password age policy.) Of course, that leads to an obvious question: if Group Policy dictates that all passwords must expire, won’t that cause your password to expire regardless of what you do to the service account?
In a word: no. If you explicitly configure an account to have a non-expiring password, the password for that account will never expire, regardless of the Group Policies you might have applied to the domain. In this case, at least, the properties of the account override Group Policy.
So, how can you configure a non-expiring password for an account? In Active Directory Users and Computers, locate the appropriate service account (for example, RTCComponetService), right-click the account name, and then click Properties. In the Properties dialog box, on the Account tab, select the Password never expires check box, and then click OK.
That’s right: just the way mother told you to do it.
Incidentally, the following VBScript script returns the name of every service running under (in this case) the Fabrikam\RTCComponentService account name. This can help you quickly determine which services are running under a particular account name, especially an account name that is about to expire.
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
("Select * From Win32_Service Where StartName = 'Fabrikam \\RTCComponentService")
For Each objService in colServices
Wscript.Echo objService.DisplayName
Next
Note
In case you’re wondering, that was not a typo in the previous script: you really do have to list the account name as Fabrikam\RTCComponentService (with two backslashes) instead of Fabrikam\RTCComponentService. That’s because this is a Windows Management Instrumentation (WMI) script, and, in WMI, the backslash () is a reserved character. Because of that, you have to "escape" the backslash when using it in a query. Because the backslash is the escape character, that means replacing each single backslash with two backslashes (\).
When you run this script you’ll get back information similar to the following:
Office Communications Server Response Group
Office Communications Server Application Host
Office Communications Server Application Sharing
Office Communications Server Audio/Video Conferencing
Office Communications Server Conferencing Attendant
Office Communications Server Conferencing Announcement
Office Communications Server Outside Voice Control
Office Communications Server Call Detail Recording
Office Communications Server Web Conferencing
Office Communications Server Archiving
Office Communications Server QoE Monitoring Service
If you are a Windows PowerShell user, you can use this PowerShell script instead:
Get-WMIObject -query "Select * From Win32_Service Where StartName = 'fabrikam\\rtcservice'" |
Select-Object DisplayName
Incidentally, we also happened to have a VBScript script that retrieves a list of all the Active Directory user accounts that begin with the letters RTC (these are the accounts typically used for Office Communications Server). The point of interest is that this script also tells you whether these accounts have passwords that expire. Here’s what that script looks like:
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT Name,userAccountControl FROM 'LDAP://dc=fabrikam,dc=com' WHERE " & _
"objectCategory='user' AND sAMAccountName='RTC*'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
intUserAccountControl = objRecordSet.Fields("userAccountControl").Value
If intUserAccountControl AND ADS_UF_DONT_EXPIRE_PASSWD Then
strExpirePassword = "Password never expires"
Else
strExpirePassword = "Password will expire"
End If
Wscript.Echo objRecordSet.Fields("Name").Value & ": " & strExpirePassword
objRecordSet.MoveNext
Loop
And here’s the kind of output you can expect to see:
RTCComponentService: Password will expire
RTCComponentService2: Password will expire
RTCGuestAccessUser: Password will expire
RTCService: Password never expires
If you decide to use this script for yourself, make sure that you enter your domain name in the following line:
"SELECT Name,userAccountControl FROM 'LDAP://dc=fabrikam,dc=com' WHERE " & _
"objectCategory='user' AND sAMAccountName='RTC*'"
For example, if your domain is contoso.com, you’ll have to change that line of code to the following:
"SELECT Name,userAccountControl FROM 'LDAP://dc=contoso,dc=com' WHERE " & _
"objectCategory='user' AND sAMAccountName='RTC*'"
So really, it’s just as easy as doing what your mother told you to.
Office Communications Server Resources
Visit the Office Communications Server main page at https://go.microsoft.com/fwlink/?LinkId=132607.
View the complete Office Communications Server documentation library at https://go.microsoft.com/fwlink/?LinkId=132106.
Follow tweets from the Office Communications Server team at https://go.microsoft.com/fwlink/?LinkId=167909.
Download all the Office Communications Server content as a Word document at https://go.microsoft.com/fwlink/?LinkId=133609.
Download all the Office Communications Server content as a compiled help file at https://go.microsoft.com/fwlink/?LinkId=160355. (Make sure you scroll down to the Additional Information section to download OCSDocumentation.chm.)