Password Policy and Service Accounts

G

Guest

I would like to start using Domain wide password policies and have a question
regarding service accounts. We have a many accounts for various software
packages that need the "Run as Service" elevated privalage on our servers.
Every so often we may need to logon to the server or workstation as one of
these accounts for troubleshooting. Will password policies effect these
accounts? Also is there a way to exclude certain acccounts from domain
password policies?

Thanks.
 
D

Danny Sanders

Will password policies effect these
accounts?
Click to expand...

Yes.

Also is there a way to exclude certain accounts' from domain
password policies?
Click to expand...

Set the account's password to never expire. It's a good idea to periodically
change manually.

hth
DDS W 2k MVP MCSE
 
R

Roger Abell [MVP]

And, by the way, Danny gave you _the only_ solution if the
service accounts are domain accounts. Alternatively, one
can often use machine local accounts for services, in which
case you would want to mask the machine local SAM from
the effects of the domain defined account policies by having
different account policies set in an OU linked GPO, which
then is combined if needed with the same technique Danny
outlined.
 
J

Joe Richards [MVP]

Or simply change the service passwords within the password change policy. My
recommendation is that folks work out a process that allows them to change
service passwords even more often than normal passwords. They don't have the
same limitation of users forgetting them (which is why you have longer password
policies) and you should be able to change these passwords quickly and easily in
the event there is a compromise. Doing this regularly means that there is less
chance of that compromise in the first place. I have put procedures in place in
the past where service passwords were changed daily because the services were
doing critical things with extremely powerful IDs.

Finally, run the services as localsystem or localservice or networkservice and
don't worry about passwords anymore.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Password Policy 1
Resetting "Password never expires" for all 4
Domain Password Policy 3
Identifying Service Accounts 7
Password Policy for Service Accounts 2
password expiration policy for admin and system accounts ? 12
Password Policy 1
2003 Group Policy Default Domain Policy 2

Top