Solved

How to exempt Domain accounts used as service accounts from Password Group Policy?

Posted on 2010-09-07
10
1,560 Views
Last Modified: 2012-05-10
How to exempt Domain accounts used as service accounts from Password Group Policy?

Windows Server 2008 R2 Directory Services Domain.

Want to enable complex password policy at domain level but exclude a few domain accounts that are in use by applications (services) on a few servers.

Could someone who has done this in a Windows Server 2008 R2 Directory services domain environment enlighten me please? - Thanks
0
Comment
Question by:dealvis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 1

Expert Comment

by:Jammet
ID: 33622238
I just made its own OU and disable the inheritance of the policies that I do not need them to have.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 33622294
Have you checked the box in the account properties that says "Password never expires"?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 33622311
Making an OU and disabling inheritance doesn't work with password policies.   The good news here is that  you are in a 2008 R2 domain.  As long as your domain is at 2008 functional level or higher you can use fine grained passwords to apply different PW policies to groups/users....this could not be done in 2003.

Step by step guide http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

Thanks

Mike
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 

Author Closing Comment

by:dealvis
ID: 33622357
The exact information I was looking for, thank you very much.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 33622372
This was a HOMEWORK QUESTION!
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 33622398
eh... maybe not... but the wording of the question looks suspiciously like one that might appear on a school question.  And in general, for this purpose, I would argue that password policies are NOT appropriate since they typically involve using ADSI edit to setup.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33622413
Yeah but this is a typical question about PW policies.  The other thing is to use managed service accounts in 2008 R2...although I'm looking for that feature to be improved in the future.

0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 33622456
Multiple password policies are a necessary evil in some large businesses but they were not implemented in a friendly way and as such, should not, in my opinion, be used for things like service accounts.  Especially considering the simple checkbox that the password never expires.
0
 

Author Comment

by:dealvis
ID: 33622496
Not a "homework" question from me Gentlemen.  Looking to strengthen security on the (recently upgraded) W2K8 R2 network I am responsible to administer.  I did review W2K8 R2 Managed Service Accounts as a possible solution but one of the applications is running on W2K3 SE so no go there.  There are only 100 or so A.D. accounts and a handful of O.U.s here so I think using the "fine grained password policy feature" will be a good solution.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 33623972
In a small environment, the fine grained password policy makes LESS sense to me.  This is because you cannot EASILY manage the password policies.  
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question