Friday, July 20, 2012

Windows Azure: Local User Account Expires

Symptom: mounted network drive missing

There was a scenario in which I needed a local user to perform actions in a Windows Azure Deployment. In this special scenario a local user named “fileshareuser” would mount a network drive K:\ when the role instance starts. This procedure worked pretty fine until suddenly the drive K:\ was missing.

Since one cannot logon as a local user via RDP to a Windows Azure instance it took me hours to find out what’s going wrong here. Finally I got this error message trying to mount the same network drive again using this impersonating model to execute C# code as that local “fileshareuser” user:

CommandLine error indicating that the local user account password has expired on windows azure

Problem: default local password policy

This led me to the problem: The password of the local user a”fileshareuser” had expired. But the account settings didn’t say anything about a password expiration. Further investigation let me find a local policy that makes all passwords expire after 42 days…

Windows Azure - Default Local Policy: Maximum password age is 42 days

Usually this policy never should have become effective, since the Windows Azure Controller updates all instances every month installing a new operating system and forcing my program to recreate the “fileshareuser” user.

After 42 days running the connection to the K:\ drive would still be there and grant the “fileshareuser” access to the files. But as soon as the instance is rebooted the policy prevents the local user from connecting to the network share.

Solution: deactivate local password policy with shell command

In order to prevent this scenario from happening again in the future I had to deactivate the local password policy on every Windows Azure instance. There are two ways to achieve this for the “fileshareuser”.

  1. Mark the local user account with flag “password never expires”

    Using the following command line the check box “Password never expires” will be checked for the user “fileshareuser”:

    WMIC USERACCOUNT WHERE "Name='fileshareuser'" SET PasswordExpires=FALSE

    Local Account set to Password never expires on Windows Azure
  2. Deactivate local password expiration policy

    This command will set the local password policy “maximum password age” to 0. No local user account will experience a password expiration again.

    net.exe accounts /maxpwage:unlimited


No comments:

Post a Comment