We performed an audit of our active directory users last year. We found a significant number of them had non-expiring passwords. Some of those accounts had a reasonably valid business case for non-expiry; others didn’t (or couldn’t be justified).
Some of the accounts were cleaned up and were made to have passwords that expire in line with the policy (i.e. the password never expires checkbox was taken off). It would appear before, anyone who moaned would get their account made exempt from password expiry. Nowadays I don’t believe that to be true, but what piece of evidence could an AD administrator or IT manager give an audit team to say non expiring passwords aren’t given out as they used to be, we’ve cleaned our act up in this area. Do you have policies on this topic, i.e. acceptable rules for non-expiring passwords, how does it work? Or do rules on exemptions in AD fall into a specific document/policy, if so which?
Flaky evidence such as “we don’t create accounts with non expiring passwords anymore” doesn’t fill me with confidence that this thing is controlled. I wonder if there is typically something more formal that would be a better assurance piece.