If you go to Computer Management in Windows Server. under Local Users and Groups, you may find there is a CLIUSR account. In this post we’ll explore this account.
What Is CLIUSR Account In Windows Server?
Basically, according to Microsoft, ‘The CLIUSR account is an internal component of the Cluster Service. It’s completely self-managing so that you’re not required to configure or manage it. The CLIUSR account is a local user account that’s created by the Failover Clustering feature if the feature is installed on Windows Server 2012 or later versions.‘
The evolution of this account can be described as follows:
- Windows Server 2003: A domain account called Cluster Service Account used to form cluster, for registry replication and to join a node. So it seems any authentication between nodes used CSA as common identity. But this given rise to a number of issues. For an instance, if you’re using same account for multiple clusters, then this could result in production downtime around some crucial systems. Add to this, if you changed user account password in Active Directory, you necessarily need to change password for all clusters or nodes.
- Windows Server 2008: Microsoft improved the cluster service and made it easier to manage. The design team changed it to a reduced account, and it suppressed many Group policy related problems. For authentication, the service switched to a computer object named assigned with the Cluster Name called as Cluster Name Object (CNO). The major benefit of this is that you don’t have to remember now which Cluster was using which account. So simply you don’t need to account of domain user account and its password changes.
- Windows Server 2008 R2: Microsoft introduced the Cluster Shared Volumes (CSV) which became the standard for private cloud storage. CSV can do intra-cluster communication via SMB protocol which is mainly used for file sharing. For connection with SMB, it requires to authenticate and in Windows Server 2008 R2, that involved authenticating the CNO with a remote domain controller.
Introduction of CLIUSR account with Windows Server 2012
There were still some issues in the previous version and CLIUSR account deal with them. In older versions, reduced Network Service privileges were used to start Cluster service. But with CLIUSR account, all the external dependencies were removed for authentication between nodes. The CLIUSR account is:
- Self managed by Cluster service.
- Can automatically rotate the password.
- Can automatically manage synchronizing all the nodes for you.
- Using the CLIUSR password which is rotated at same frequency as CNO i.e. every 30 days (default).
With CLIUSR account, you can virtualize all your DCs. Microsoft is committed to enhance availability of the Cluster by taking the edge off external dependencies. You can simply identify the CLIUSR account by its description in Computer Management. It is advisable that you do not make any modifications to this account.