Looking to enforce 60 day password changes on QuickBooks DB Manager account QBDataServiceUser23

NEMC used Ask the Experts™
Looking to enforce 60 day password changes on all AD accounts.  This includes the QuickBooks DB Manager account QBDataServiceUser23

Everything I've read suggests that this account can't be managed like a normal AD account . . . that QuickBooks does all the password management internally.

I don't think that wil work for the comliance standards we are looking to meet.

Can anyone provide some general insight as to how this account can be managed/locked down?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David SpigelmanPresident / CEO

That account is what's called a Service Account. You don't manage it the way you'd manage all the others, and you're looking for a world of hurt if you insist on changing its password every 60 days, or even every ever. What you should do, however, is lock down the account such that it really doesn't have the authority to do anything other than manage the Quickbooks databases. I don't even think it needs to be able to logon locally to anything. If the account can't actually access anything or even log into a console, there's just no need to change the password frequently. And I'm pretty sure that will meet most compliance issues.


Thanks for your reply David.  

Any idea what the baseline permissions are that the QB service account requires?
David SpigelmanPresident / CEO
Off the top of my head, you'd need it to have at least Read, Write & Modify on the Quickbooks database folders, on the local machine. I do recall that there is a way to restrict a user from being able to logon locally, but I can't think of how to do it right now. Maybe someone else might?

But those would be where I would start.
Top Expert 2016
deny logon locally group policy
Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment > Deny log on locally.

  1. Here are a few things to keep in mind if you decide to implement these settings:
  2. DO NOT apply them to Domain Controllers.
  3. DO NOT put the settings into either of the default GPO’s for Default Domain Policy or Default Domain Controllers Policy.
  4. Deny trumps allow. If a user is in both Allow log on locally and Deny log on locally, Deny always wins.
  5. Be on the lookout for software that creates local service accounts that need to be included in Allow Log on Locally. For instance, VMware Workstation and VMware Player have functionality that will not work unless the service account they create is included in Allow Log on Locally.
  6. Only apply these settings to sub-sets of computers and not the entire Domain.

you could also only allow logon to a specific machine (machine hosting quickbooks)


I'll start with these when I'm on site and see how it goes.

Thanks for the assistance.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial