Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

non expiring passwords

Posted on 2013-12-02
8
Medium Priority
?
280 Views
Last Modified: 2013-12-17
Can you give some examples of the types of accounts that you typically exempt from domain password expiry policies - with reasons why making them change password every XYZ days is not practical.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 35

Assisted Solution

by:Dan Craciun
Dan Craciun earned 336 total points
ID: 39689495
Mostly accounts for senior officers that have the power to fire you and are annoyed to have to change their password that they use on *all* the sites.

Reason why it's not practical: self-preservation :)
0
 
LVL 3

Assisted Solution

by:cristiantm
cristiantm earned 336 total points
ID: 39689529
I´m not a big fan of requiring people to change their passwords frequently at all. The biggest reason is that if people need to always remember a new password, they will probably want to make it easier to remember, and that probably means it will be weak. Its ok to make some effort to remember a complex password that you will be using for a long time, but is very annoying if when you finally manage to memorize, it needs to be changed.

If you need strong password protection, maybe you should be thinking about alternatives (2nd factor, authentication tokens, etc.). Maybe enforce stronger passwords+some training (tips on how to create a strong password that also is easy to remember), suggest password managers, so on. I would suggest the other way around, start to think why and where you NEED password expiration, where you do not have better options and so on.

If security becomes intrusive and annoying, it soon or later will become insecurity. It should be as transparent as possible.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 332 total points
ID: 39689574
Password used for service accounts - account used to run services and/or batch processes are normally exempted since if these expired the services/batch jobs would fail if the password expired. It would be tedious in the extreme to edit all the services/jobs to change the password in such cases.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 28

Assisted Solution

by:jhyiesla
jhyiesla earned 332 total points
ID: 39689724
Basically I don't. We are under government regulations that require every user to have a unique user ID and a password that expires every do often. Ours expire every 90 days. This policy is enforced from the CEO on down.

Having said that we do have a few accounts with non-expiring passwords. These fall into two groups.  One would be ID's that are shared by several people as email repositories for automated processes. These account have no access to protected data and cannot send out emails. The other one occurs when in the past we have brought on new companies and their users need access to certain resources we have but have no direct access to the network in order to change their passwords. These accounts are set up with non-expiring passwords, but as soon as the transition to our company is complete, those are changed to expiring passwords.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 39690551
Here you have to balance between your environment security and minimise your efforts
What I would recommend is you may exclude service accounts or generic accounts being used if any apart from that users should be required to change the password every 90 days with password history of 4-5 remembered and domain admin and Enterprise admins should be changed once in 30 days with password history of 10 as these are sensitive accounts
0
 
LVL 70

Expert Comment

by:KCTS
ID: 39690649
Just to add a bit more to my comments on service accounts, Its also worth mentioning that with Server 2008 and later you have a new type of account called 'Managed Service Accounts'
where the passwords are managed automatically see http://technet.microsoft.com/en-us/library/dd367859(v=ws.10).aspx
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 332 total points
ID: 39692274
In addition you can deploy different password policy for top level management Fine-Grained Password Policies:http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

There are certain APLLICATIONS,SERVICES,SCRIPT,GROUP POLICY eg drive mapped with credential ,etc which are normally excluded from password expiry policy.If password is changed and same is not taken care can lead to account lockout.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 332 total points
ID: 39694133
Joining in to comment on the "senior-officers-thought".
The more important staff usually has access to enterprise-critical data. These accounts should not be handled less strictly, come on. "they are able to fire you" *shiver*.... ;)

The question should not be why some here typically use non-expiring pw accounts, it should be why people typically don't.

Let's start with the asker :) pma111, why are you asking, what would you achieve by starting to use accounts whose passwords don't expire?
For reasons given before, service accounts/task accounts don't need non-expiring passwords any more.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question