Looking to enforce 60 day password changes on QuickBooks DB Manager account QBDataServiceUser23

Looking to enforce 60 day password changes on all AD accounts.  This includes the QuickBooks DB Manager account QBDataServiceUser23

Everything I've read suggests that this account can't be managed like a normal AD account . . . that QuickBooks does all the password management internally.

I don't think that wil work for the comliance standards we are looking to meet.

Can anyone provide some general insight as to how this account can be managed/locked down?

Thanks!
NEMCAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David SpigelmanPresident / CEOCommented:
That account is what's called a Service Account. You don't manage it the way you'd manage all the others, and you're looking for a world of hurt if you insist on changing its password every 60 days, or even every ever. What you should do, however, is lock down the account such that it really doesn't have the authority to do anything other than manage the Quickbooks databases. I don't even think it needs to be able to logon locally to anything. If the account can't actually access anything or even log into a console, there's just no need to change the password frequently. And I'm pretty sure that will meet most compliance issues.
NEMCAuthor Commented:
Thanks for your reply David.  

Any idea what the baseline permissions are that the QB service account requires?
David SpigelmanPresident / CEOCommented:
Off the top of my head, you'd need it to have at least Read, Write & Modify on the Quickbooks database folders, on the local machine. I do recall that there is a way to restrict a user from being able to logon locally, but I can't think of how to do it right now. Maybe someone else might?

But those would be where I would start.
David Johnson, CDRetiredCommented:
deny logon locally group policy
Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment > Deny log on locally.

Caveats
  1. Here are a few things to keep in mind if you decide to implement these settings:
  2. DO NOT apply them to Domain Controllers.
  3. DO NOT put the settings into either of the default GPO’s for Default Domain Policy or Default Domain Controllers Policy.
  4. Deny trumps allow. If a user is in both Allow log on locally and Deny log on locally, Deny always wins.
  5. Be on the lookout for software that creates local service accounts that need to be included in Allow Log on Locally. For instance, VMware Workstation and VMware Player have functionality that will not work unless the service account they create is included in Allow Log on Locally.
  6. Only apply these settings to sub-sets of computers and not the entire Domain.

you could also only allow logon to a specific machine (machine hosting quickbooks)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NEMCAuthor Commented:
I'll start with these when I'm on site and see how it goes.

Thanks for the assistance.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
QuickBooks

From novice to tech pro — start learning today.