Sign in with
Sign up | Sign in
Your question

Excluding accounts from default domain policy

Last response: in Windows 2000/NT
Share
February 7, 2005 9:41:06 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I know password policies are supposed to be applied to entire domains and
if there is a requirement fore separate policies, a new child domain is
required, but some testing I've done seemed to have contradicted that. If
you set a user’s properties to ‘password never expires’, you can overcome the
password age setting at the domain level, and it seems this affects the
password complexity requirement as well. While I’m prompted to change my
password on an account who does not have the password never expires setting
and when forced to change that password I’m also forced to adhere to the
complex password policy, I am not forced to change my password on an account
set to never expire and am therefore not required to adhere to the complexity
requirement. Kind of a loophole I suppose. Has anyone else tried using
this sort of 'fix' on accounts like service accounts?
Anonymous
February 7, 2005 12:47:56 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

This behaviour is by design, actually. It's a best practice to use
"password never expires" on service accounts to avoid application service
outages due to expired passwords. From an administrative standpoint, you
should make it a habit to set complex passphrases for your service accounts,
and to change them manually on a regular basis.

--
Laura E. Hunter
Microsoft MVP - Windows Server Networking
All information provided "AS-IS", no warranties expressed or implied.
Replies to newsgroup only.
"Bill" <Bill@discussions.microsoft.com> wrote in message
news:3636BC5D-44C3-49AA-906B-3DB171478049@microsoft.com...
> I know password policies are supposed to be applied to entire domains and
> if there is a requirement fore separate policies, a new child domain is
> required, but some testing I've done seemed to have contradicted that. If
> you set a user's properties to 'password never expires', you can overcome
> the
> password age setting at the domain level, and it seems this affects the
> password complexity requirement as well. While I'm prompted to change my
> password on an account who does not have the password never expires
> setting
> and when forced to change that password I'm also forced to adhere to the
> complex password policy, I am not forced to change my password on an
> account
> set to never expire and am therefore not required to adhere to the
> complexity
> requirement. Kind of a loophole I suppose. Has anyone else tried using
> this sort of 'fix' on accounts like service accounts?
!