Solved

default domain policy using force password change and service accounts

Posted on 2014-11-02
8
222 Views
Last Modified: 2014-11-05
I recently took over a network that utilizes the force password GPO setting.  The force password change setting is implemented via the default domain policy.  The problem is all authenticated users receive this policy.  I assume this will cause my service accounts to be forced to change their passwords.  And..  Will also cause my domain admins to change their password.  Should I create a new GPO and enable the setting there so I can deny the GPO settings to my service accounts and domain admins but allow for everyone else?  And then set the original setting to not configured?  Since it's currently part of the default domain GPO I'm wanting to void changing the permissions on it.
0
Comment
Question by:gopher_49
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 2

Expert Comment

by:BMarden
ID: 40418300
I am not sure the GPO would affect the service accounts but I would create the GPO on the Domain Users container anyway.

MB
0
 
LVL 8

Assisted Solution

by:tshearon
tshearon earned 250 total points
ID: 40418308
What you should do is not have that particular setting as part of the Default Domain Policy. You should have that as a separate policy linked only to the OUs where you have users. The service accounts should be in a separate OU where that policy is not linked so that it is not applied.
0
 
LVL 13

Accepted Solution

by:
Rizzle earned 250 total points
ID: 40418311
Just ensure the Service Accounts have the Password Never Expire marker in AD and this should be fine. It's best practice to ensure Domain Admins and Domain users have their password changed every 30 to 60 days.

You could however separate the user accounts, domain admin accounts and then the service accounts then apply this GPO to that OU specifically and not at the top level of the domain.

Your choice.

Roshan.
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40418655
Agree with the advice given.  My approach would be to remove this policy from the Default Domain Policy and put it in a new GPO just for ease of administration.  You can then apply that new GPO wherever you need it.  I usually keep my service/proxy accounts in a separate OU for exactly the situation you are in right now.  Regardless of what you choose to do, may I suggest you filter the GPO instead of denying it.  Remember that denying overrides applying so you can accidentally get yourself in trouble by denying rights.  Filters are safer and easier to change, in my opinion.
0
 

Author Comment

by:gopher_49
ID: 40418846
Question.  Do I simply set the force policy settings to 'not configured' and then get a new GPO and enable them there?  I assume this is the correct method..  Also.  Will users have to reset their pw's due to the new policy being created or will AD know the password's age and will go by that?
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40418873
We have the policy set in a different gpo at top level. Also AD should know the passwords age.
0
 
LVL 8

Expert Comment

by:tshearon
ID: 40419264
First create the new GPO and apply it then set the default to not configure as you said. The passwords already are aging and it's does not reset that. So yes, AD knows.
0
 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40420616
You're on the right track. Doing exactly what you said in your last comment is correct and will not force a reset.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question