Tacacs + and local account

Similar Messages

• Automatically sync IMAP account (provider) and LOCAL account (my Mac)

  Hi everybody
  I've searched a lot but didn't find an answer yet. Maybe someone can give me a hint.
  I'm looking for a functionality similar to E-Mail favourites in WIndows. The target is to automatically make a copy of some folders in my IMAP account to my LOCAL account. I need to have access to my old E-Mails even when I'm not connected to the Internet.
  Any ideas?
  Greets
  Hger

  Hger wrote:
  Hi everybody
  I've searched a lot but didn't find an answer yet. Maybe someone can give me a hint.
  I'm looking for a functionality similar to E-Mail favourites in WIndows. The target is to automatically make a copy of some folders in my IMAP account to my LOCAL account. I need to have access to my old E-Mails even when I'm not connected to the Internet.
  go to mail preferences->accounts->advanced and check the option "Keep copies of messages for offline viewing"->"all messages and attachments". then you'll have them on your mac and will be able to use them even when not connected to internet.
  Any ideas?
  Greets
  Hger

• FWSM: AAA authentication using TACACS and local authorization

  Hi All,
  In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
  We have created users on TACACS and  not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
  Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list".  I have specifically mentioned this
  "privilege show level 1 mode exec command access-list"  in the config.
  Is there anything i am missing or is there any other way of doing it?
  Thanks.

  You cannot do what you are trying to do. For (default login you need to use the first policy matched.
  you can diversify telnet/ssh with http by  creating different aaa groups.
  But still you will be loging in for telnet users (all of them) using one method.
  I hope it is clear.
  PK

• The "Microsoft Store" app and local account

  Hi
  With Windows 8.1 Update,
  I use some local account.
  When I log on to one of them, I open
  the "Microsoft Store" app and
  I access through a Microsoft account.
  At this point, I noticed that my local account
  is completely switched to the Microsoft account.
  How come? How do I prevent this?
  Thanks
  Bye
  Balubeto

  Hi Balubeto,
  Firstly, follow these steps to disconnect the Microsoft account:
  1. Open change PC settings;
  2. Click Accounts link in the right navigation bar;
  3. The below screen appear:
  click Disconnect , you will switch to the local account.
  After that, if you want to access Windows Store, follow this method to avoid making the whole PC switching to the Microsoft Account:
  Click Sign in each app separately instead (not recommended) link at the bottom of the page, you will connect the Microsoft account just to this app.
  Karen Hu
  TechNet Community Support
  Doing in this way, I could also install or update some apps for all users?
  Thanks
  Bye
  Balubeto

• Same user in tacacs and local database with different privilege

  Hi there,
  i am just not sure if this is correct behavior.
  i am running NX-OS image n5000-uk9.5.1.3.N1.1.bin on the nexus 5020 platform.
  i have configured authorization with tacacs+ on ACS server version 5.2 with fall back to switch local database.
  aaa authentication login default group ACS
  aaa authorization commands default group ACS local
  aaa accounting default group ACS
  a user test with priv 15 is craeted on ACS server, password test2
  everything works fine, until i create the same username on the local database with privilege 0. ( it doesnt matter if the user in local database was created before user in ACS or after )
  e.g.:  
  username test password test1 role priv-0   (note passwords are different for users in both databases)
  after i create the same user in local database with privilege 0,
  if i try to connect to the switch with this username test and password defined on ACS,  i get only privilege 0 authorization, regardless, that ACS server is up and it should be primary way to authenticate and authorizate the user.
  is this normal?
  thank you for help...

  Hello.
  Privileges are used with traditional IOS. Privileges are part of "command authorization". Other operating systems (like IOS-XR, Nexus OS , Juniper JunOS) use "role-based authorization" instead of "command authorization".
  So traditional IOS can use the "privilege" attribute but other operating systems can not.
  Although IOS-XR, Nexus, ACE, Juniper  have "roled-based authorization" feature, every single one of them use their particular attributes.
  When I was configuring TACACS with ACE, Juniper and other devices I had to capture the packets to find out what were the particular attributes of ACE, what were the particular attributes of JunOS, etc, etc and to search deeply some hints the documentation , because sadly  documentation is not very good when talking about TACACS details.
  If you find which attributes to use, and what values to assign to the attributes then you can go to ACS and configure a "Shell Profile".
  Now back to Nexus 5000. It seems this particular device has the option to mix "role-based" with "command authorization" by overriding the default roles with other roles which names are called "priv". It seems this was an effort to try to map the old concept of "privileges" to the new concept of "roles". Although you see the word "priv", it's just the name of the role. My particular point of view is that this complicates the whole thing. I would recommend to use just the default roles, or customize some of them (only if needed), but not to use "command authorization".
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/security/502_n1_1/Cisco_n5k_security_config_gd_rel_502_n1_1_chapter5.html
  I will search the particular attributes Nexus use to talk to TACACS server. If I got them I will post them here.
  Please rate if it helps

• PIX 525 aaa authentication with both tacacs and local

  Hi,
  I have configured the aaa authentication for the PIX with tacacs protocol (ACS Server).
  It works fine, now i would like to add the back up authentication, as follows:
  - If the ACS goes down i can to be authenticated with the local database.
  Is it possible with PIX, if yes how?

  Hi,
  I am trying to configure aaa using TACACS+ , i am not able to close.Problems are
  1.It dosent ask for username /password in first level.
  2.on second level it asks for user name it dosent authenticate the user .
  Cud u pls let me know if the following config is correct.If not cud u help me .
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (outside) host ip.ip.ip.ip key timeout 15
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
  aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
  aaa authen enable console TACACS+

• Getting All Local Groups, Group Members and Local accounts on all Servers

  Hello Everyone,
  Sorry if this has been covered already, but I didnt see anything that quite answered my question.
  I've been given the task of generating an Access Control List here at work and I've managed to piece together a few scripts that gets me so close it's frustrating.
  The script I have now will parse through a text file with all my Windows servers listed in it and it does output in the console the server name, all of the groups on the server (Administrators, Remote Users, Backup Operators, etc.) and all the individual
  members of those groups and nested groups.
  However, I can't seem to get it to export to a CSV for easy digestion.  I've tried to pipe the export-csv command, but the csv it gives me doesnt have any useful information in it.
  Here is the script:
  $list =@()
  $Servers=Get-Content ListOfComputers.txt
  foreach($server in $Servers) {
  $server | % {
  $server = $_
  $server
  $computer = [ADSI]"WinNT://$server,computer"
  $computer.psbase.children | where { $_.psbase.schemaClassName -eq 'group' } | foreach {
  "`tGroup: " + $Group.Name
  $group =[ADSI]$_.psbase.Path
  $group.psbase.Invoke("Members") | foreach {
  $us = $_.GetType().InvokeMember("Adspath", 'GetProperty', $null, $_, $null)
  $us = $us -replace "WinNT://",""
  $class = $_.GetType().InvokeMember("Class", 'GetProperty', $null, $_, $null)
  $list += new-object psobject -property @{Group = $group.Name;Member=$us;MemberClass=$class;Server=$server}
  "`t`tMember: $us ($Class)"
  The format it pumps out to the console is good, other than it's somewhat upside down, the members are all listed above the group name such as below, where there's no members in the Administrators group, but User1, 2 and 3 are part of the Remote Desktop Group.
   This isn't horrible as I can cut and paste it out of the console and into a spreadsheet, but then i have to shift things up a row and doing that for the entire list is going to be way more work than I'd like.
  Server01
  Administrators
  User1
  User2
  User3
  Remote Desktop Users
  When I use export-csv on the script above I get a bunch of numbers rather than groups or members like this:
  Length
  13
  51
  40
  35
  63
  63
  35
  32
  Hopefully, there's someone out there who can help me tweak this script so that I can just dump it all to a csv and be done, with little to no massaging of the data afterward.
  Thanks in advance,
  Tyler

  Sure. After you've run the script, type this in the console:
  $list | Export-Csv .\groupInformation.csv -NoTypeInformation
  You'll then have a CSV file in the directory, open that with Excel and see if that gives you the information you're after.
  Don't retire TechNet! -
  (Don't give up yet - 13,085+ strong and growing)

• Incorrect user and admin accounts showing when trying to apply patches

  Hi folks,
  I have completed a (rather painful) install of the "main" component of BPC version 7 on my clients' server, with a domain user as the System Admin, and local accounts for the Admin and User accounts.
  This is a single-server install.
  Now, when I try to apply the two patches to make it "officially" SP4, on the page that asks for my passwords it has filled in my IDs incorrectly.
  So, my System Admin ID is showing correct as <domain>\sysadmin, but my admin and user are also showing as <domain>\bpcadmin and <domain>\bpcuser, rather than as they SHOULD appear: <local machine name>\bpcadmin and <local machine name>\bpcuser.
  I have no idea what is happening, but I'm guessing it is down to some COM+ object that hasn't updated properly for some reason.
  I also had a problem with the ApShell application not being created, so I had to do this manually, which I know isn't normal. Also, there has been no database created for ApShell either.
  I checked all the pre-requisites and made sure all user accounts were ready to use, etc, but is there anything anyone can think of that might be causing these problems?
  Thanks very much.
  Best wishes,
  Jason
  Update: I thought that it woud be a good idea to uninstall BPC and start again, rather than amending components and databases manually, which shouldn't be necessary. Any tips on cleaning up the resulting mess would be most welcome!

  Thanks Tony!
  I reinstalled the application with the Sys Admin right the way through, and it accepts it, but I get another error:
  [click here for picture|http://picasaweb.google.com/lh/photo/JFFxet7nUJcoeHY9hAQOcQ?feat=directlink]
  This is weird as the database error shows C:\... when actually the default database is on D:\Data...
  If I click on OK, I then get this much more complicated message:
  [click here for picture|http://picasaweb.google.com/lh/photo/uM0LmGaQgJx4VseRqwXnsQ?feat=directlink]
  I'm not even going try and interpret that one - but some searches on the internet haven't been very useful.
  Any ideas? I'm almost at the point of getting the client to uninstall and reinstall SQL Server again, as I've been having this problem for at least 24 hours. But I'm keen to avoid this if possible, so any help wuld be appreciated.
  Cheers,
  Jason

• Automatic switch a local account to a Microsoft account or vice versa

  Hi
  With Windows 8.1 Update 1, when I switch a local account to a Microsoft account or vice versa, some dialog and confirmation/verification screen are displayed.
  It is possbile to save the inserted data in this dialog screens and eliminate confirmation/verification screen in order to automate these procedures?
  Thanks
  Bye
  Balubeto

  Hi,
  This is a build feature in windows for security concern, I don’t think there is a method to eliminate this.
  You can see this link if you want to know what’s going on when switch accounts in Windows 8:
  http://blogs.msdn.com/b/zxue/archive/2012/03/07/win8-howto-7-switch-between-windows-accounts-and-local-accounts.aspx
  Regards
  v-yamliu

• Windows 8 Sysprep - Can't skip local account creation and autologon fails, wrong admin password.

  Using Windows 8 x64 Enterprise, Sysprep pauses to ask me to create a local user, which I don't want.
  If I enable SkipSystemOOBE and SkipUserOOBE in OOBE under Microsoft-Windows-Shell-Setup sysprep (in oobe mode) will skip user creation and autologon works.  But it only works correctly once.  If I run sysprep again, when it tries to autologon
  it will say that I have the wrong password for the local account.  After I type in the password manually it works.  If I use the same password for the local administrator account as for the autologon account, it looks to have the encrypted password
  twice with an equal sign after it.
  What I need to know:
  How to skip local user account creation (we run on a domain but I have it connect through scripts later)
  How to fix the autologon issue
  Do I need the local administrator account enabled for this to work?
  I have my unattend.xml file attached.
  <?xml version="1.0" encoding="utf-8"?>
  <unattend xmlns="urn:schemas-microsoft-com:unattend">
  <settings pass="oobeSystem">
  <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <AutoLogon>
  <Password>
  <Value>[removed]</Value>
  <PlainText>false</PlainText>
  </Password>
  <Username>[removed]</Username>
  <LogonCount>2</LogonCount>
  <Enabled>true</Enabled>
  </AutoLogon>
  <FirstLogonCommands>
  <SynchronousCommand wcm:action="add">
  <Order>1</Order>
  <CommandLine>c:\folder\abatchfile.bat</CommandLine>
  <RequiresUserInput>false</RequiresUserInput>
  </SynchronousCommand>
  </FirstLogonCommands>
  <OOBE>
  <HideEULAPage>true</HideEULAPage>
  <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
  <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
  <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
  <NetworkLocation>Work</NetworkLocation>
  <HideLocalAccountScreen>true</HideLocalAccountScreen>
  <ProtectYourPC>3</ProtectYourPC>
  </OOBE>
  <TimeZone>Eastern Standard Time</TimeZone>
  <DisableAutoDaylightTimeSet>false</DisableAutoDaylightTimeSet>
  <RegisteredOrganization>Company Name</RegisteredOrganization>
  <RegisteredOwner>CompanyName</RegisteredOwner>
  </component>
  <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <UserLocale>en-US</UserLocale>
  <UILanguage>en-US</UILanguage>
  <SystemLocale>en-US</SystemLocale>
  <InputLocale>en-US</InputLocale>
  </component>
  </settings>
  <settings pass="specialize">
  <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <ComputerName>*</ComputerName>
  </component>
  </settings>
  <cpi:offlineImage cpi:source="wim:[removed]/sources/install.wim#Windows 8 Enterprise" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
  </unattend>

  The user accounts-creation page in Windows Welcome is suppressed if a user or a group is added to a local security group. Add a user or a group to a local security group by doing one of the following:
  Create a local user.
  Add a domain user to a local security group with the Microsoft-Windows-Shell-Setup | UserAccounts unattended installation setting.
  To suppress the user accounts-creation page in Windows Welcome, without creating a local user, use one of the following workarounds:
  Workaround 1
  If the computer is already joined to a domain, use the following XML example to add the Domain Users security group to the Local Users security group.
  <DomainAccounts>
   <DomainAccountList wcm:action="add">
    <DomainAccount wcm:action="add">
    <Group>Users</Group>
    <Name>Domain Users</Name>
    </DomainAccount>
    <Domain>FabrikamDomain</Domain>
    </DomainAccountList>
  </DomainAccounts>
  Because joining a domain automatically adds the Domain Users security group to the Local Users security group, the DomainAccounts command does not affect the membership of the Local Users group. However, using this XML example to join a domain will also suppress
  the user accounts-creation page in Windows Welcome.
  Workaround 2
  Use the Sysprep/Quit command to set the following registry value to 1:
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OOBE\UnattendCreatedUser
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

• How can I install WebOfTrust for a local account and save the profile so that it transfers to domain accounts that log on to that specific computer?

  We are creating images through ghost server to clone onto several laptops and one of the features we need to have configured is the Web of Trust extension in Firefox. I have configured a local account on the machine and set up Web of Trust and then copied the profile image in regedit to the default profile image and saved this. WOT works for local accounts but whenever I try domain accounts, Web of Trust needs to be disabled and re-enabled.

  Try using Web of Trust support:
  http://www.mywot.com/en/support
  Or post in their user support forum:
  http://www.mywot.com/en/forum

• Metro Apps don't open on Local and Domain account. Works on Microsoft Live account. Windows 8.1 Pro

  This is Happening on Three different computers.
  All computers are Windows 8.1 Pro. This is a clean install.
  When the computer is initially setup, I first sign on with my Windows Live ID and everything seems to work fine there.
  After Joining the computer to the domain, none of the Metro UI apps will open, they open briefly and close.
  Added a local account and found that it also does not work there.
  Steps I have tried to resolve this:
  Modified owner and permissions on registry Key: HKCR\AppID\{3EB3C877-1F16-487C-9050-104DBCD66683}
  Changed owner to Local Administrator and gave full controll to Local Admin and Domain user account.
  Ran DCOMCNFG and under Computers ->My Computer-> WinInetCacheServer Properties I went to the IDENTITY TAB and changed
  it to the Interactive User.
  That did not help.
  Ran this command: "powershell
  -ExecutionPolicy Unrestricted Add-AppxPackage -DisableDevelopmentMode -Register $Env:SystemRoot\WinStore\AppxManifest.xml" from elevated command prompt and also did not help.
  I tried downloading the App troubleshooter but it would not run.
  I also tried "wsreset.exe" and got an error saying: " Windows cannot find 'ms-windows-storePurgeCaches'. Make sure you typed the name
  correctly, and then try again"
  When Trying to open the app and it fails I get this error under Applications in Event Viewer:
  "Activation of app winstore_cw5n1h2txyewy!Windows.Store failed with error: This app does not support the contract specified or is not installed. See the Microsoft-Windows-TWinUI/Operational log for additional information."
  Anyone know how to resolve this.
  We are looking to implement Windows 8.1 Pro to our clients pretty soon and need to get this resolved asap.
  Thanks

  This is Happening on Three different computers.
  All computers are Windows 8.1 Pro. This is a clean install.
  When the computer is initially setup, I first sign on with my Windows Live ID and everything seems to work fine there.
  After Joining the computer to the domain, none of the Metro UI apps will open, they open briefly and close.
  Hi,
  Did you mean that this problem only after you join the computer to the domain? if so, you may need to check whether you domain controller would install any program to your system. or you can contact domain adminstrator for further assistance.
  In addition, run the following in a Command Window (CMD) to re-register the Store App:
  powershell -ExecutionPolicy Unrestricted Add-AppxPackage -DisableDevelopmentMode -Register $Env:SystemRoot\WinStore\AppxManifest.XML
  Roger Lu
  TechNet Community Support

• On Windows Server 2008, local account passwords are reset when the server is rebooted. Why, and how do we fix?

  We are running a commercial application on a Windows 2008 Server. After reboot, we cannot access the application because two services fail to start. The reason they fail to start is that the passwords to the local user accounts tied to those services have
  either been deleted or reset to a different value. In order to restart the application, we must reset the passwords of these two local accounts, then stop and restart all the application's services.  According to the application's maker, the accounts
  must be local.
  My colleague believes the passwords are being deleted or reset as a result of a global domain policy.  Is this likely?
  Assuming my colleague is correct, is there anything we can do locally to prevent these passwords from being deleted or reset when the server reboots?  If not, what is the most granular change we can ask our AD adminstrators to make to the policy, so
  that these local accounts are not touched at reboot.
  Thanks.

  Hello,
  have you configured the accounts to have the permission "Log on as a service"? I have seen that this is not given to the account and therefore the service fails to start.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• DLU and local "Administrator" account

  I have another network admin that has given me some information of the
  subject heading that I don't quite understand...
  They are using ZEN 3.2 with DLU on a Citrix server. This way, when a
  student logs in via Citrix and gets logged in, ZEN policies restrict
  them to what they can and cannot do on the local machine. Since they
  need elevated rights to the registry (for whatever reason), they use
  the "Administrator" account and are members of the "Administrator"
  group on the local machine.
  I simply don't understand it...When I use DLU (on workstations mind
  you), I have the following for the policy...
  ================================================== =======
  Enable DLU
  Manage Existing User Account (if any)
  Use eDirectory Credentials
  Nothing underneath for the username, but they are members of "Users"
  ================================================== =======
  His configuration is as follows...
  ================================================== =======
  Enable DLU
  Manage Existing User Account (if any)
  Username: Administrator
  Member of: Administrators, Users
  ================================================== =======
  He tells me that with this config when a student logs in, they
  automatically use the local "administrator" account. That's what I
  don't get.
  My config makes a new user on the workstation if they haven't logged
  into the machine before. I thought at times it would be handy to make
  3 accounts locally, such as "Staff" "Student" and "Administrator" for
  instance, but didn't realize this config he talks about could make it
  happen. Can it? I still don't get it at this point. I'm reading my
  manuals and what-not and am not yet convinced.
  What I'm hung up on is the password syncing. If I am logging in as
  "bbinder" with a password of "hello" (NDS credentials) but the local
  "administrator" password is "goodbye", why wouldn't it prompt me for
  the administrator password since it's not the same as mine? There
  isn't an "existing account" to manage in his config. This (I assume)
  means it uses the account specified in the name field you can type in.
  In his case, this is "administrator" as typed in above. But since the
  passwords aren't the same, how does it use the local "administrator"
  account? Does it overwrite the password? Does it create a new
  administrator account and call it "administrator.001" ??? Not quite
  getting it yet.
  Anyone want to try and help me with this? Some people think there
  would be some big benefits by having everyone use the local
  "administrator" account, for instance because it has full rights to
  the registry and file system. Plus, GP's will still be in effect, so
  they would be locked out of the parts of the workstation you want to
  lock them out of anyway.
  Other advantages would include a "pre-made" user profile that has
  already been secured and populated with the various things deemed
  acceptable by the company's/school's policies.
  Also, no delay on login when a new local account has to be created.
  Since they are all using the same account being specified in the
  policy, it would be nice and fast to login to.
  Finally, no more prompting new users to enter in their names and
  initials when MS Office apps run for the first time under a user
  account. Maybe this could be avoided with a policy, but this would
  suffice as well.
  Sorry it's so long, but I appreciate any help you guys can offer to
  clear this up for me.
  Brian

  Craig,
  I'm sorry - I thought I replied on this post but I didn't.
  Just wanted to say thanx for taking the time to explain this to me.
  Brian
  On Fri, 20 Aug 2004 10:46:44 GMT, Craig Wilson
  <[email protected]> wrote:
  >DLU simply changes the "Administrator" accounts password in this instance.
  >
  >How do you know what the current "Administrator's Password"? You don't
  >and you just pray DLU or something does not break.
  >
  >Instead of using the "Administrator's Account", just use any other name of
  >an account that does not exist like "SQUAREPANTS".
  >
  >DLU will create the account and put it in the administrators group.
  >All users will share the same profile so you get all the benefeits of the
  >other system, without the risk of losing access to the box.
  >
  >I actually never give user's local admin rights nor do I have user's share
  >profiles, but .............

• Local account credentials and licensing

  Hello, we have a Windows 2008 R2 server used for terminal services.
  The server is configured and is working fine.
  All domain users can login without issues.
  If we login with a domain administrator account, this server successfully contacts the license server and validates.
  However, we have the server locked with a local administrator account, as there is an application that runs in the background.
  Because of this, we are encountering the error: "The Remote Desktop Session Host Server Configuration tool is running with local account credentials. In Licensing Diagnosis, the Total Number of licenses Available value may be inaccurate." It gives
  the warning that we have a number of days before the remote services is disabled.
  Obviously we don't want this to happen.
  My questions is if this will actually be disabled, even though we have validated with the license server before with a domain account?
  Do we have to have server locked with a domain account to get rid of this error?
  Many Thanks,
  Ravi

  Hi Ravi,
  Thank you for your posting in Windows Server Forum.
  Yes, to get rid from this error and for better result you must always attach License server with Domain account. Means you need to join the server to a domain. Because the error which you are facing is due to “Issue with Credential” as License server
  can’t identify the local user account credentials. In your case, you need to lock server with domain account. 
  Please check below article.
  Licensing Diagnosis: Problems and Resolutions
  http://blogs.msdn.com/b/rds/archive/2008/02/01/licensing-diagnosis-problems-and-resolutions.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki