default domain policy using force password change and service accounts

I recently took over a network that utilizes the force password GPO setting.  The force password change setting is implemented via the default domain policy.  The problem is all authenticated users receive this policy.  I assume this will cause my service accounts to be forced to change their passwords.  And..  Will also cause my domain admins to change their password.  Should I create a new GPO and enable the setting there so I can deny the GPO settings to my service accounts and domain admins but allow for everyone else?  And then set the original setting to not configured?  Since it's currently part of the default domain GPO I'm wanting to void changing the permissions on it.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I am not sure the GPO would affect the service accounts but I would create the GPO on the Domain Users container anyway.

What you should do is not have that particular setting as part of the Default Domain Policy. You should have that as a separate policy linked only to the OUs where you have users. The service accounts should be in a separate OU where that policy is not linked so that it is not applied.
Just ensure the Service Accounts have the Password Never Expire marker in AD and this should be fine. It's best practice to ensure Domain Admins and Domain users have their password changed every 30 to 60 days.

You could however separate the user accounts, domain admin accounts and then the service accounts then apply this GPO to that OU specifically and not at the top level of the domain.

Your choice.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Asif BacchusI.T. ConsultantCommented:
Agree with the advice given.  My approach would be to remove this policy from the Default Domain Policy and put it in a new GPO just for ease of administration.  You can then apply that new GPO wherever you need it.  I usually keep my service/proxy accounts in a separate OU for exactly the situation you are in right now.  Regardless of what you choose to do, may I suggest you filter the GPO instead of denying it.  Remember that denying overrides applying so you can accidentally get yourself in trouble by denying rights.  Filters are safer and easier to change, in my opinion.
gopher_49Author Commented:
Question.  Do I simply set the force policy settings to 'not configured' and then get a new GPO and enable them there?  I assume this is the correct method..  Also.  Will users have to reset their pw's due to the new policy being created or will AD know the password's age and will go by that?
We have the policy set in a different gpo at top level. Also AD should know the passwords age.
First create the new GPO and apply it then set the default to not configure as you said. The passwords already are aging and it's does not reset that. So yes, AD knows.
Asif BacchusI.T. ConsultantCommented:
You're on the right track. Doing exactly what you said in your last comment is correct and will not force a reset.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.