Solved

How to exempt Domain accounts used as service accounts from Password Group Policy?

Posted on 2010-09-07
10
1,466 Views
Last Modified: 2012-05-10
How to exempt Domain accounts used as service accounts from Password Group Policy?

Windows Server 2008 R2 Directory Services Domain.

Want to enable complex password policy at domain level but exclude a few domain accounts that are in use by applications (services) on a few servers.

Could someone who has done this in a Windows Server 2008 R2 Directory services domain environment enlighten me please? - Thanks
0
Comment
Question by:dealvis
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 1

Expert Comment

by:Jammet
ID: 33622238
I just made its own OU and disable the inheritance of the policies that I do not need them to have.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33622294
Have you checked the box in the account properties that says "Password never expires"?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 33622311
Making an OU and disabling inheritance doesn't work with password policies.   The good news here is that  you are in a 2008 R2 domain.  As long as your domain is at 2008 functional level or higher you can use fine grained passwords to apply different PW policies to groups/users....this could not be done in 2003.

Step by step guide http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

Thanks

Mike
0
 

Author Closing Comment

by:dealvis
ID: 33622357
The exact information I was looking for, thank you very much.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33622372
This was a HOMEWORK QUESTION!
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33622398
eh... maybe not... but the wording of the question looks suspiciously like one that might appear on a school question.  And in general, for this purpose, I would argue that password policies are NOT appropriate since they typically involve using ADSI edit to setup.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33622413
Yeah but this is a typical question about PW policies.  The other thing is to use managed service accounts in 2008 R2...although I'm looking for that feature to be improved in the future.

0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33622456
Multiple password policies are a necessary evil in some large businesses but they were not implemented in a friendly way and as such, should not, in my opinion, be used for things like service accounts.  Especially considering the simple checkbox that the password never expires.
0
 

Author Comment

by:dealvis
ID: 33622496
Not a "homework" question from me Gentlemen.  Looking to strengthen security on the (recently upgraded) W2K8 R2 network I am responsible to administer.  I did review W2K8 R2 Managed Service Accounts as a possible solution but one of the applications is running on W2K3 SE so no go there.  There are only 100 or so A.D. accounts and a handful of O.U.s here so I think using the "fine grained password policy feature" will be a good solution.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33623972
In a small environment, the fine grained password policy makes LESS sense to me.  This is because you cannot EASILY manage the password policies.  
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Resolve DNS query failed errors for Exchange
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now