Solved windows services always forgets password

August 27, 2014 at 22:34:55
Specs: windows 2003 windows 2008
windows services always forgets password

Might take a day or two but we have

sql passwords that start as sqlservices that are ran as domain names

I have our monitoring program that start as a domain username


almost everyday they fail say bad logon

I go and put in the exact password that the domain usernames are and it works, give it a day it is like it forgets what the password is.... very annoying

anyone have this experience?

Ok so heres the deal i can run yuri's revenge with no problem. But red alert 2 will run but very very very slow even when im not playing someone on the internet, it still goes very slow. Whats the pro


See More: windows services always forgets password

Report •

✔ Best Answer
September 4, 2014 at 09:24:14
You never use domain admin for service accounts. Great way to get hacked. The account should have the "logon as a service" right. Service accounts should not be under a OU that has a GPO applied to it or the accounts are exceptions to the GPO.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's



#1
August 28, 2014 at 00:10:27
Make sure you're not typing in caps when it should be lowercase, or vice versa.

Report •

#2
August 28, 2014 at 07:33:05
Thank you for the advice .... This is a much bigger issue

That for sure is not the answer, although i do appreciate the advice..


Services just lose memory, it seems, of the stored passwords

Ok so heres the deal i can run yuri's revenge with no problem. But red alert 2 will run but very very very slow even when im not playing someone on the internet, it still goes very slow. Whats the pro


Report •

#3
August 28, 2014 at 12:03:45
After setting the password for the service if you logon under that account with same password do you get logged in?

Have you reviewed the event viewer logs for event concerning unable to logon?

Accounts set to have passwords never expire?

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

Related Solutions

#4
August 28, 2014 at 12:32:16
This is a good question, wanderer..

Next time this happens to either two of the domain usernames used to start these services on the two servers... I will try to log into that server with the username the services are failing to start on.... Good thinking

Now , I know i might be jumping the gun , what would be your first guess as to why these service account names can or cannot log in?

Probably the first would be , my guess, is the server talking to the DC or domain at all...

Our monitoring service is reporting VIA a simple ping that these servers are alive,
The servers with the broken services will allow me to log in with my domain credentials, so it is able to authenticate with a DC....

This happened all of a sudden... these services were working just fine and dandy for years..

server01... This our monitoring program for the enterprise , thats why we never know when it happens lol kind of sucks.
Server01 has been running for over 6 or 7 years with no issues
Problems started about 2 or 3 weeks ago

server02 this is our production SQL server, if for any reason the service is set to restart. it wont come back up until you set the password again
server02 has been running for 4 or 5 years with no problems, problems started about a year ago

Ok so heres the deal i can run yuri's revenge with no problem. But red alert 2 will run but very very very slow even when im not playing someone on the internet, it still goes very slow. Whats the pro


Report •

#5
August 28, 2014 at 15:39:41
My guess is you have a user policy that requires periodic password changes. Since these accounts can't change their passwords the accounts go to an expired state.

I would suggest you need to make sure the accounts are set to never expire or change their password in user management and in your GPOs

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#6
August 28, 2014 at 20:08:55
Not to discount what you suggest, when the password does change for them ... I go through each service and update the password... we are in the middle of the period for the password change and this just popped up... we use the same password it has been for half (middle of the period) of this password policy, nothing on that end changed..


As soon as i put the same password back in the services log in information it starts right up, then about a day, maybe not even, it loses the password in the services log on tab... not to say there is not what looks like a password types in there still , because there is... just seems to be the wrong password and will not work until you put the same old password in and click apply...


is this what you are referring to... I understand what you mean by expired account , through AD we never have to unexpire or unlock the account or anything ..


Not saying you are wrong or that I dont value what you suggested, just trying to troubleshoot and cover all bases before I return to work tuesady

Ok so heres the deal i can run yuri's revenge with no problem. But red alert 2 will run but very very very slow even when im not playing someone on the internet, it still goes very slow. Whats the pro


Report •

#7
August 29, 2014 at 05:30:07
After re reading i see some typo's and what not

I meant on the services log in tab, the password appears to be still in there... obviously I can't read what it is, just a bunch of black dots to hide the password...

Ok so heres the deal i can run yuri's revenge with no problem. But red alert 2 will run but very very very slow even when im not playing someone on the internet, it still goes very slow. Whats the pro


Report •

#8
September 2, 2014 at 09:58:24
I see no mention of you tying to logon to that account when the service has failed to start. How else are you determining its the password that is failing besides just retyping it?

You make no mention of the account being disabled which it should be if the password is wrong. After three failed logons the account should be disabled automatically. Did you disable /modify this feature?

Service accounts are set to never expire and never change the password normally. Why aren't you doing that?

What are the event viewer logs telling you concerning these service accounts?

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#9
September 3, 2014 at 18:20:37
here is how it went, a GPO does not specify in the policy to let that account log on as a service. so when i goto that server with the failing service account and goto services > start auto and put in the password , it is then shown in the local group policy as allowed to start as a service. If I issue an gpupdate /force it is taken out ... I believe when gp updates go once a day it takes log on as a service out...

one more question, we have this service account as a domain admin, should that be enough to override whether or not log on as a service is defined?

Ok so heres the deal i can run yuri's revenge with no problem. But red alert 2 will run but very very very slow even when im not playing someone on the internet, it still goes very slow. Whats the pro


Report •

#10
September 4, 2014 at 09:24:14
✔ Best Answer
You never use domain admin for service accounts. Great way to get hacked. The account should have the "logon as a service" right. Service accounts should not be under a OU that has a GPO applied to it or the accounts are exceptions to the GPO.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#11
September 4, 2014 at 14:48:36
I never set it all up this way, someone else did... I did ask why that service account was a Domain Admin and crickets is what i heard.

I still think that the service account needs to have log on as a service.
Then my manager asked if run as a service should be already be inheritance on a domain admin account, which I said I will research and find out...

I already asked why in the world that service account was a domain admin ...... I did not do this, but want to take it off. I mean someone put it as a domain admin, when you make anything or anyone a domain admin ... Alarms go off and alert managers and the customer... so someone of high power made this decision... Nobody wants to speak up and i dont know why

Ok so heres the deal i can run yuri's revenge with no problem. But red alert 2 will run but very very very slow even when im not playing someone on the internet, it still goes very slow. Whats the pro


Report •

#12
September 8, 2014 at 09:23:01
" if run as a service should be already be inheritance on a domain admin account"

it is not a autoassigned right to admin.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#13
September 8, 2014 at 15:06:42
I was not sure, at the same time I didn't think so. thank you for all the help.


as of now it is still broke, no one believes me when I said a domain admin does not have the right.

I'll setup a new threadon how you suggest, we properly implement this

Ok so heres the deal i can run yuri's revenge with no problem. But red alert 2 will run but very very very slow even when im not playing someone on the internet, it still goes very slow. Whats the pro


Report •

#14
September 10, 2014 at 15:19:46
Admin is not god mode. This is also why there are different kinds of admins like domain vs enterprise etc.

Sounds like you are working with a bunch of ignorant people. Sorry to hear that.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#15
September 10, 2014 at 20:54:07
yes sir i am, not really ignorant, we have downsized quite a bit... All the good people got let go cause they made too much money ... It is what it is. I have an interview in the AM, trying to jump the sinking ship..... Been there 9.5 years, started as an intern.... Very sad to see this company only care about the stock..... Well just another lesson I have learned... take it easy, I will start a new thread this weekend about how I should consider designing an OU or how i should design something for service accounts and GPO's and all that hee haw.... thanks for all the help so far

Ok so heres the deal i can run yuri's revenge with no problem. But red alert 2 will run but very very very slow even when im not playing someone on the internet, it still goes very slow. Whats the pro


Report •

#16
September 11, 2014 at 16:09:08
Use a local account or a domain account under a OU that has no group policy applied.
Account should be a regular user not a admin. Account has "logon as service" right. Depending on the service other rights may need to be assigned but start with base then work up to more strength.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

Ask Question