Symptom: mounted network drive missing
There was a scenario in which I needed a local user to perform actions in a Windows Azure Deployment. In this special scenario a local user named “fileshareuser” would mount a network drive K:\ when the role instance starts. This procedure worked pretty fine until suddenly the drive K:\ was missing.
Since one cannot logon as a local user via RDP to a Windows Azure instance it took me hours to find out what’s going wrong here. Finally I got this error message trying to mount the same network drive again using this impersonating model to execute C# code as that local “fileshareuser” user:
Problem: default local password policy
This led me to the problem: The password of the local user a”fileshareuser” had expired. But the account settings didn’t say anything about a password expiration. Further investigation let me find a local policy that makes all passwords expire after 42 days…
Usually this policy never should have become effective, since the Windows Azure Controller updates all instances every month installing a new operating system and forcing my program to recreate the “fileshareuser” user.
After 42 days running the connection to the K:\ drive would still be there and grant the “fileshareuser” access to the files. But as soon as the instance is rebooted the policy prevents the local user from connecting to the network share.
Solution: deactivate local password policy with shell command
In order to prevent this scenario from happening again in the future I had to deactivate the local password policy on every Windows Azure instance. There are two ways to achieve this for the “fileshareuser”.
- Mark the local user account with flag “password never expires”
Using the following command line the check box “Password never expires” will be checked for the user “fileshareuser”:
WMIC USERACCOUNT WHERE "Name='fileshareuser'" SET PasswordExpires=FALSE
- Deactivate local password expiration policy
This command will set the local password policy “maximum password age” to 0. No local user account will experience a password expiration again.