mailing list archives
Re: Changing the domain password policy
From: krymson () gmail com
Date: 2 Feb 2007 18:55:30 -0000
1. You could try to look into your AD event logs and check for Successful logons for the domain admin account.
2. Every time you identify a service using the domain admin account, replace it with a different account that is part
of the domain admins group. You want accounts separated as much as possible, and you can then later evaluate whether
that one service even needs domain admin level access. One service/function for one domain admin level account.
3. After you change the domain admin account, closely monitors server event logs for failed logons to the domain admin
account. This should indicate the source and that there is something out there still trying to use the old password.
You want to catch downed services before your users or management come looking for you.
4. Policy should dictate very complex passwords for domain admin level accounts. You want non-dictionary words, 16+
characters, and mixed alphanumerics and cases and special characters. You don't necessarily have to regularly change
service passwords as perhaps the business interuption is not worth the password change, but you really should still be
aware of what services are out there, what account they use, and limit them as much as possible (maybe run as a
privileged normal domain user?). The root domain admin account should be used as little as possible and the password
5. If you do want to still rotate and change passwords for services, look at your inventory and set up a reminder to
change passwords. I would avoid setting an expiration date for service accounts that you aren't really sure when they
will be removed. Besides, if you're a day late and the account is locked, your business may be threatened.
6. You really should have different standards for different account types. The root domain admin account is one type
all by itself. Any other accounts in the domain admins group should be another. All service accounts should be another.
And lastly your regular domain user accounts. While you can, and should, use AD policy to force complexity for domain
user accounts, you really want to practice more complex passwords for the other types.
While the biggest thing to do is make sure you know your environment and what service accounts are used where,
eventually you'll find yourself stuck and you just need to make the change and deal with what breaks.
<- snip ->
Time has come to change the domain admin password. Unfortunately this is
used (hardcoded?) across the network in lots of different places,
services, virus downloads etc. Does anyone know of a way for me to audit
the admin account so I can see where it is currently in use.
Has anyone got any other tips for changing the domain admin password
without lots of pain?
I wish to amend my windows domain policy to include passowrd complexity
and minimum length. However I have a bunch of service accounts, of which
I do not know all. These passswords are set in AD to not expire. Am I
right in thinking that the changes to the domain password policy will
not effect the accounts that have this attribute set in AD, until these
passwords are actually changed?
How do other people deal with service accounts and their adherence to
domain password policys?