There is an Audit finding by an external auditor - they found some AD accounts with no password required and asking us for justification of those. Now I know those accounts got created while application installation with "no password" and "no expiry" and used by application only. After installation password policy was setup and hence those accounts won't meet the password policy. Those accounts are just member of Domain User group and no one can use those accounts to access any server on domain. Is there any way I can provide evidence to auditor that those accounts are not vulnerable?