Solved

How to exempt Domain accounts used as service accounts from Password Group Policy?

Posted on 2010-09-07
10
1,492 Views
Last Modified: 2012-05-10
How to exempt Domain accounts used as service accounts from Password Group Policy?

Windows Server 2008 R2 Directory Services Domain.

Want to enable complex password policy at domain level but exclude a few domain accounts that are in use by applications (services) on a few servers.

Could someone who has done this in a Windows Server 2008 R2 Directory services domain environment enlighten me please? - Thanks
0
Comment
Question by:dealvis
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 1

Expert Comment

by:Jammet
ID: 33622238
I just made its own OU and disable the inheritance of the policies that I do not need them to have.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33622294
Have you checked the box in the account properties that says "Password never expires"?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 33622311
Making an OU and disabling inheritance doesn't work with password policies.   The good news here is that  you are in a 2008 R2 domain.  As long as your domain is at 2008 functional level or higher you can use fine grained passwords to apply different PW policies to groups/users....this could not be done in 2003.

Step by step guide http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

Thanks

Mike
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Closing Comment

by:dealvis
ID: 33622357
The exact information I was looking for, thank you very much.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33622372
This was a HOMEWORK QUESTION!
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33622398
eh... maybe not... but the wording of the question looks suspiciously like one that might appear on a school question.  And in general, for this purpose, I would argue that password policies are NOT appropriate since they typically involve using ADSI edit to setup.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33622413
Yeah but this is a typical question about PW policies.  The other thing is to use managed service accounts in 2008 R2...although I'm looking for that feature to be improved in the future.

0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33622456
Multiple password policies are a necessary evil in some large businesses but they were not implemented in a friendly way and as such, should not, in my opinion, be used for things like service accounts.  Especially considering the simple checkbox that the password never expires.
0
 

Author Comment

by:dealvis
ID: 33622496
Not a "homework" question from me Gentlemen.  Looking to strengthen security on the (recently upgraded) W2K8 R2 network I am responsible to administer.  I did review W2K8 R2 Managed Service Accounts as a possible solution but one of the applications is running on W2K3 SE so no go there.  There are only 100 or so A.D. accounts and a handful of O.U.s here so I think using the "fine grained password policy feature" will be a good solution.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33623972
In a small environment, the fine grained password policy makes LESS sense to me.  This is because you cannot EASILY manage the password policies.  
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question