In some environments, there are times when locked application/databases accounts need to run some cron jobs. In linux, by default, a locked account can not run the cron job.
We can enable this by editing a specific setting is disabled in /etc/pam.d/crond file.
Here is the details:
# cat /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
auth sufficient pam_rootok.so
auth required pam_stack.so service=system-auth
auth required pam_env.so
account required pam_stack.so service=system-auth
# account required pam_access.so
session required pam_limits.so
session required pam_loginuid.so
This example is working in Redhat Linux. In the /etc/pam.d/crond file, if we disable "account required pam_access.so" line the cron started working again for the locked account as well.