Educause Security Discussion
mailing list archives
Re: Active Directory Password Policy for functional accounts?
From: "Fowler, Stephen" <steve.fowler () OREGONSTATE EDU>
Date: Sat, 8 Dec 2012 00:37:37 +0000
If you're looking for an application, rather than scripting something I've found that the ADInfo tool from
(http://www.cjwdev.co.uk/) allows me to run a report that not only contains the last logon, but also whether the "User
cannot change password" is set, the last bad password date, the parent container/ou path, and much more. The free
version has lots of canned queries, but the for fee version will allow you to do customized reports.
They also have a free application, ADTidy, that just searches on last logon attribute.
If you're running Windows 2008 R2 you may also want to look into Managed Service Accounts. They are a special type of
domain account in Windows Server 2008 R2 that can be used to run Windows services, but unlike normal domain accounts
you don't have to keep changing the password to keep things secure - Active Directory will take care of managing the
password for you and communicating this with the computer that is using the Managed Service Account (you don't even
have to restart the services for the password change to take effect. The reason I mention it is that CJWDev has a free
gui tool that helps create, install and uninstall MSAs so you don't have to use powershell.
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad Judy
Sent: Monday, December 03, 2012 7:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Active Directory Password Policy for functional accounts?
You can use the LastLogon attribute for the housecleaning aspect and disable accounts that haven't logged in for X days.
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rick
Sent: Monday, December 03, 2012 6:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Active Directory Password Policy for functional accounts?
We are wondering what other higher education institutions are doing with their functional accounts in active directory.
The functional accounts are for service purposes that we implemented 180 days password policy but service could break
after the password expires - some are asking to enable "password never expires" (PNE) on these accounts.
Other question is if we enable PNE on accounts, how do you keep track of which accounts are being in use or not for
"housekeeping" to keep our active directory clean?