Symantec Management Platform (Notification Server)

Hi

I am using CMS 7.0 everthing is working fine.

but when i am going to change the password of NS at that time domain account get locked.

and too much logs has been generated at that time

If I understand properly, CMS 7.0 was installed and working fine.  But you changed the password of the Active Directory account used as the Application Identity.  When you changed the password for this account, the NS kept attempting the old password, and the Active Directory account became locked.  So many logs are being written that you can't figure out what's going on.

Is that right?

If so, stop all Altiris services on your NS.  Reset the password of the application identity account and be sure the account is not locked out.  Right-click each Altiris service on the NS and have it use the new account and/or password.  When the console opens, update the application identity password within Settings.

I'm not sure if you'll be able to do the last step if you're locked out, but it's worth a try.

To have a console open, change the password, then use the console utility to set the new password. As mclemson has noted, if you change the password, and then try to login, the console will be broken, and you're going to get locked out.

Another option is using aexconfig /svcid.

Can you not get an exception for a 'service' account?

For what it's worth, my service account has no expiration but is a minimum of 25 characters long, upper, lower, numeric, special.  We combine it with logging to protect ourselves.

Even some of the most secure organizations use service accounts. You can establish procedures (monitored by logging or whatever) to ensure that it isn't used to login to the sytem. The exception being if you're doing upgrades or other maintenance, whereas the account can be 'checked out' to explain why it's being used (or for audit purposes).

console is working fine after changing the password

but after sometime the Altiris account (AD) get locked.

If we check the AD logs we get w3wp.exe is a source.  

Consider creating a new service account and carefully restricting its use to only Altiris.  It appears that it was used somewhere else and an old password is causing account lockout.  You could also ask your AD administrator for assistance in tracking down the cause of the lockout.

It's only happened once though. Couldn't tell you why either. Just thought you might like to know.

Posting again as a more and more ashamed NS7 neophyte...but one thought.  In NS 6.x you could define a domain account to use by clients for accessing Package Servers.  I believe by default it was set to use the Application Identity by default (though you could create a Package Access Credential (PAC) on the PS itself).  In some cases if you changed the password, the PAC account would get continually locked out until all clients had updated configuration with the new encrypted network password for the account.  The solution is to have 2 accounts for Package Access.  When it comes time to change the password for account1, you also change account2.  Then, you change the PAC account to account2.  After a few days (to ensure that the changed credentials have propogated throughout the environment), you change the password for account1.