Solved

How to exempt Domain accounts used as service accounts from Password Group Policy?

Posted on 2010-09-07
10
1,479 Views
Last Modified: 2012-05-10
How to exempt Domain accounts used as service accounts from Password Group Policy?

Windows Server 2008 R2 Directory Services Domain.

Want to enable complex password policy at domain level but exclude a few domain accounts that are in use by applications (services) on a few servers.

Could someone who has done this in a Windows Server 2008 R2 Directory services domain environment enlighten me please? - Thanks
0
Comment
Question by:dealvis
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 1

Expert Comment

by:Jammet
ID: 33622238
I just made its own OU and disable the inheritance of the policies that I do not need them to have.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33622294
Have you checked the box in the account properties that says "Password never expires"?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 33622311
Making an OU and disabling inheritance doesn't work with password policies.   The good news here is that  you are in a 2008 R2 domain.  As long as your domain is at 2008 functional level or higher you can use fine grained passwords to apply different PW policies to groups/users....this could not be done in 2003.

Step by step guide http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

Thanks

Mike
0
 

Author Closing Comment

by:dealvis
ID: 33622357
The exact information I was looking for, thank you very much.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33622372
This was a HOMEWORK QUESTION!
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33622398
eh... maybe not... but the wording of the question looks suspiciously like one that might appear on a school question.  And in general, for this purpose, I would argue that password policies are NOT appropriate since they typically involve using ADSI edit to setup.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33622413
Yeah but this is a typical question about PW policies.  The other thing is to use managed service accounts in 2008 R2...although I'm looking for that feature to be improved in the future.

0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33622456
Multiple password policies are a necessary evil in some large businesses but they were not implemented in a friendly way and as such, should not, in my opinion, be used for things like service accounts.  Especially considering the simple checkbox that the password never expires.
0
 

Author Comment

by:dealvis
ID: 33622496
Not a "homework" question from me Gentlemen.  Looking to strengthen security on the (recently upgraded) W2K8 R2 network I am responsible to administer.  I did review W2K8 R2 Managed Service Accounts as a possible solution but one of the applications is running on W2K3 SE so no go there.  There are only 100 or so A.D. accounts and a handful of O.U.s here so I think using the "fine grained password policy feature" will be a good solution.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33623972
In a small environment, the fine grained password policy makes LESS sense to me.  This is because you cannot EASILY manage the password policies.  
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now