Link to home
Create AccountLog in
Avatar of dealvis
dealvisFlag for United States of America

asked on

How to exempt Domain accounts used as service accounts from Password Group Policy?

How to exempt Domain accounts used as service accounts from Password Group Policy?

Windows Server 2008 R2 Directory Services Domain.

Want to enable complex password policy at domain level but exclude a few domain accounts that are in use by applications (services) on a few servers.

Could someone who has done this in a Windows Server 2008 R2 Directory services domain environment enlighten me please? - Thanks
Avatar of Jammet

I just made its own OU and disable the inheritance of the policies that I do not need them to have.
Avatar of Lee W, MVP
Have you checked the box in the account properties that says "Password never expires"?
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of dealvis


The exact information I was looking for, thank you very much.
eh... maybe not... but the wording of the question looks suspiciously like one that might appear on a school question.  And in general, for this purpose, I would argue that password policies are NOT appropriate since they typically involve using ADSI edit to setup.
Yeah but this is a typical question about PW policies.  The other thing is to use managed service accounts in 2008 R2...although I'm looking for that feature to be improved in the future.

Multiple password policies are a necessary evil in some large businesses but they were not implemented in a friendly way and as such, should not, in my opinion, be used for things like service accounts.  Especially considering the simple checkbox that the password never expires.
Avatar of dealvis


Not a "homework" question from me Gentlemen.  Looking to strengthen security on the (recently upgraded) W2K8 R2 network I am responsible to administer.  I did review W2K8 R2 Managed Service Accounts as a possible solution but one of the applications is running on W2K3 SE so no go there.  There are only 100 or so A.D. accounts and a handful of O.U.s here so I think using the "fine grained password policy feature" will be a good solution.
In a small environment, the fine grained password policy makes LESS sense to me.  This is because you cannot EASILY manage the password policies.