Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

unitymsgstore account lockout | any problems

Hi,

Customer group policy is to lock out account after three bad login attempts.

If the unity server is up and running and unitymsgstore accounts gets locked out for some reason,

will there be any issues.

Unity 4.2 with FO 2003

Thanks

Mudassir

7 REPLIES
Silver

Re: unitymsgstore account lockout | any problems

Hi,

It's good to set "password never expires" for service users.

--

regards,

pk

Silver

Re: unitymsgstore account lockout | any problems

==YES== there would be big issues. that is one of the service accounts and it would not be able to log on. The other is that accout has permissions to the mailstore.

rlp

Re: unitymsgstore account lockout | any problems

Hi -

Another thing that will cause you pain is the password getting changed by group policy for the special Unity accounts, unitydirsvc and unitymsgstoresvc. If that happens, you will need to rerun Service wizard and Message Store Configuration wizard to get Unity operational again. Better to keep the Unity servers and accounts out of an OU that gets group policies applied without you knowing or getting a chance to test beforehand.

Regards, Ginger

Bronze

Re: unitymsgstore account lockout | any problems

From personal experience, I can wholeheartedly agree with Ginger on this: keep the Unity servers away from any GPOs you don't control, period.

I've had a UnityMSGStore account get locked out, and when that happens, just count voice mail as toast. Not to mention, that account will stay locked out, because Unity will hammer away at it and reset the "time until unlock" timer on the account.

Bottom line, don't set the Unity, or CallManager accounts for that matter, to any sort of lockout policy. An unscrupulous user or fat-fingering admin could create a DoS situation very, very quickly.

New Member

Re: unitymsgstore account lockout | any problems

Thanks for the reply guys,

What is Cisco's recommendation on securing Unity accounts?

If we set group policy for three bad attempt lock out account, if the account gets locked out then we will have problem unity talking to exchange.

If we set it no group policy then its a security issue.

Is there any CCO document on this topic?

Thanks

Mudassir

New Member

Re: unitymsgstore account lockout | any problems

Hi,

I think we are running into this problem, The other day after a Unity reboot, the services would not start. I had to click on several services, select logon tab, set new password and then the services would start. Where might I look to see where the services might be affected by a policy, I am not a windows exchange guy by any means, so if you can give me a few details where to look, I would be very grateful.

Thansk,

Chuck

Cisco Employee

Re: unitymsgstore account lockout | any problems

first of all you need to understand that several core services run over the accounts discussed.

Appendix: Cisco Unity 4.x Services

http://www.cisco.com/en/US/partner/docs/voice_ip_comm/unity/42/upgrade/guide/ex/ru_550.html

in case one of those is disabled, blocked, whatever, the services won't start so unity will be down or won't work properly

actually this is not from windows or exchange point of view, but from AD. The AD is the place where this accounts are stored and where they might be subject to group policies so i strongly recommend to get in touch with your AD admin and tell him that he needs to keep the unity accounts free of policies that could block them, lock them after 3 wrong logins, ask for pwd change after x amount of time, etc.

HTH

javalenc

if this helps, please rate

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
282
Views
0
Helpful
7
Replies
CreatePlease login to create content