Scheduled Tasks and Windows Account Lock Outs

Just sharing a rather frustrating experience of mine from the last few days.

As is the case with many large companies, the fleet of computers is managed via Active Directory and one or more domains. Users main interaction with AD would be in the form of authentication with a username and password but also for things such as AD groups which may regulate access to network resources and applications. Users, if so privileged, may also setup scheduled tasks on a computer to run as themselves but only after providing their username and password prior to scheduling the job.

However, it is worth knowing that when you are forced to change your password on the domain it does not update the scheduled tasks for which you have provided your credentials. This is particularly bad as when the task attempts to run with your out of date credentials it can lock your account if it fails to authenticate a certain number of times (set according to the domain policy). If you’ve got lots of scheduled tasks this may not give you much time to update your credentials particularly if they are located on remote computers.

The best practice would be to use a dedicated accounts whose password never changes (like a service account which is a good idea to maintain security) or you could run it as Local System instead. There are other options but those would be the easiest to implement without going down the rabbit hole of overly technical solutions.

Leave a Reply

Your email address will not be published.