==YES== there would be big issues. that is one of the service accounts and it would not be able to log on. The other is that accout has permissions to the mailstore.

rlp

Hi -

Another thing that will cause you pain is the password getting changed by group policy for the special Unity accounts, unitydirsvc and unitymsgstoresvc. If that happens, you will need to rerun Service wizard and Message Store Configuration wizard to get Unity operational again. Better to keep the Unity servers and accounts out of an OU that gets group policies applied without you knowing or getting a chance to test beforehand.

Regards, Ginger

From personal experience, I can wholeheartedly agree with Ginger on this: keep the Unity servers away from any GPOs you don't control, period.

I've had a UnityMSGStore account get locked out, and when that happens, just count voice mail as toast. Not to mention, that account will stay locked out, because Unity will hammer away at it and reset the "time until unlock" timer on the account.

Bottom line, don't set the Unity, or CallManager accounts for that matter, to any sort of lockout policy. An unscrupulous user or fat-fingering admin could create a DoS situation very, very quickly.

Thanks for the reply guys,

What is Cisco's recommendation on securing Unity accounts?

If we set group policy for three bad attempt lock out account, if the account gets locked out then we will have problem unity talking to exchange.

If we set it no group policy then its a security issue.

Is there any CCO document on this topic?

Thanks

Mudassir

Hi,

I think we are running into this problem, The other day after a Unity reboot, the services would not start. I had to click on several services, select logon tab, set new password and then the services would start. Where might I look to see where the services might be affected by a policy, I am not a windows exchange guy by any means, so if you can give me a few details where to look, I would be very grateful.

Thansk,

Chuck

first of all you need to understand that several core services run over the accounts discussed.

Appendix: Cisco Unity 4.x Services

http://www.cisco.com/en/US/partner/docs/voice_ip_comm/unity/42/upgrade/guide/ex/ru_550.html

in case one of those is disabled, blocked, whatever, the services won't start so unity will be down or won't work properly

actually this is not from windows or exchange point of view, but from AD. The AD is the place where this accounts are stored and where they might be subject to group policies so i strongly recommend to get in touch with your AD admin and tell him that he needs to keep the unity accounts free of policies that could block them, lock them after 3 wrong logins, ask for pwd change after x amount of time, etc.

HTH

javalenc

if this helps, please rate