Solved

How to exempt Domain accounts used as service accounts from Password Group Policy?

Posted on 2010-09-07
10
1,520 Views
Last Modified: 2012-05-10
How to exempt Domain accounts used as service accounts from Password Group Policy?

Windows Server 2008 R2 Directory Services Domain.

Want to enable complex password policy at domain level but exclude a few domain accounts that are in use by applications (services) on a few servers.

Could someone who has done this in a Windows Server 2008 R2 Directory services domain environment enlighten me please? - Thanks
0
Comment
Question by:dealvis
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 1

Expert Comment

by:Jammet
ID: 33622238
I just made its own OU and disable the inheritance of the policies that I do not need them to have.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33622294
Have you checked the box in the account properties that says "Password never expires"?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 33622311
Making an OU and disabling inheritance doesn't work with password policies.   The good news here is that  you are in a 2008 R2 domain.  As long as your domain is at 2008 functional level or higher you can use fine grained passwords to apply different PW policies to groups/users....this could not be done in 2003.

Step by step guide http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

Thanks

Mike
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Closing Comment

by:dealvis
ID: 33622357
The exact information I was looking for, thank you very much.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33622372
This was a HOMEWORK QUESTION!
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33622398
eh... maybe not... but the wording of the question looks suspiciously like one that might appear on a school question.  And in general, for this purpose, I would argue that password policies are NOT appropriate since they typically involve using ADSI edit to setup.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33622413
Yeah but this is a typical question about PW policies.  The other thing is to use managed service accounts in 2008 R2...although I'm looking for that feature to be improved in the future.

0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33622456
Multiple password policies are a necessary evil in some large businesses but they were not implemented in a friendly way and as such, should not, in my opinion, be used for things like service accounts.  Especially considering the simple checkbox that the password never expires.
0
 

Author Comment

by:dealvis
ID: 33622496
Not a "homework" question from me Gentlemen.  Looking to strengthen security on the (recently upgraded) W2K8 R2 network I am responsible to administer.  I did review W2K8 R2 Managed Service Accounts as a possible solution but one of the applications is running on W2K3 SE so no go there.  There are only 100 or so A.D. accounts and a handful of O.U.s here so I think using the "fine grained password policy feature" will be a good solution.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33623972
In a small environment, the fine grained password policy makes LESS sense to me.  This is because you cannot EASILY manage the password policies.  
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question