mailing list archives
RE: Changing the domain password policy
From: "Scott Ramsdell" <Scott.Ramsdell () cellnet com>
Date: Fri, 2 Feb 2007 11:56:36 -0500
You are correct. The new requirements will be enforced at the next
Because service accounts are frequently set to not expire, ensure those
passwords are long and complex, known to only who needs to know, and
documented in the appropriate location.
I always lumped my service accts into one OU. This OU was exempted from
my script that toggled 'user must change password at next login'. This
script was run when IT staff left.
A good rule to remember when creating service accounts is that vendors
lie, and their service accounts probably do not need domain admin
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Gary Collis
Sent: Thursday, February 01, 2007 2:47 PM
To: security-basics () lists securityfocus com
Subject: Changing the domain password policy
I wish to amend my windows domain policy to include passowrd complexity
and minimum length. However I have a bunch of service accounts, of which
I do not know all. These passswords are set in AD to not expire. Am I
right in thinking that the changes to the domain password policy will
not effect the accounts that have this attribute set in AD, until these
passwords are actually changed?
How do other people deal with service accounts and their adherence to
domain password policys?