Excluding accounts from default domain policy
Last response: in Windows 2000/NT
Archived from groups: microsoft.public.win2000.active_directory (More info?)
I know password policies are supposed to be applied to entire domains and
if there is a requirement fore separate policies, a new child domain is
required, but some testing I've done seemed to have contradicted that. If
you set a user’s properties to ‘password never expires’, you can overcome the
password age setting at the domain level, and it seems this affects the
password complexity requirement as well. While I’m prompted to change my
password on an account who does not have the password never expires setting
and when forced to change that password I’m also forced to adhere to the
complex password policy, I am not forced to change my password on an account
set to never expire and am therefore not required to adhere to the complexity
requirement. Kind of a loophole I suppose. Has anyone else tried using
this sort of 'fix' on accounts like service accounts?
I know password policies are supposed to be applied to entire domains and
if there is a requirement fore separate policies, a new child domain is
required, but some testing I've done seemed to have contradicted that. If
you set a user’s properties to ‘password never expires’, you can overcome the
password age setting at the domain level, and it seems this affects the
password complexity requirement as well. While I’m prompted to change my
password on an account who does not have the password never expires setting
and when forced to change that password I’m also forced to adhere to the
complex password policy, I am not forced to change my password on an account
set to never expire and am therefore not required to adhere to the complexity
requirement. Kind of a loophole I suppose. Has anyone else tried using
this sort of 'fix' on accounts like service accounts?
More about : excluding accounts default domain policy
Archived from groups: microsoft.public.win2000.active_directory (More info?)
This behaviour is by design, actually. It's a best practice to use
"password never expires" on service accounts to avoid application service
outages due to expired passwords. From an administrative standpoint, you
should make it a habit to set complex passphrases for your service accounts,
and to change them manually on a regular basis.
--
Laura E. Hunter
Microsoft MVP - Windows Server Networking
All information provided "AS-IS", no warranties expressed or implied.
Replies to newsgroup only.
"Bill" <Bill@discussions.microsoft.com> wrote in message
news:3636BC5D-44C3-49AA-906B-3DB171478049@microsoft.com...
> I know password policies are supposed to be applied to entire domains and
> if there is a requirement fore separate policies, a new child domain is
> required, but some testing I've done seemed to have contradicted that. If
> you set a user's properties to 'password never expires', you can overcome
> the
> password age setting at the domain level, and it seems this affects the
> password complexity requirement as well. While I'm prompted to change my
> password on an account who does not have the password never expires
> setting
> and when forced to change that password I'm also forced to adhere to the
> complex password policy, I am not forced to change my password on an
> account
> set to never expire and am therefore not required to adhere to the
> complexity
> requirement. Kind of a loophole I suppose. Has anyone else tried using
> this sort of 'fix' on accounts like service accounts?
This behaviour is by design, actually. It's a best practice to use
"password never expires" on service accounts to avoid application service
outages due to expired passwords. From an administrative standpoint, you
should make it a habit to set complex passphrases for your service accounts,
and to change them manually on a regular basis.
--
Laura E. Hunter
Microsoft MVP - Windows Server Networking
All information provided "AS-IS", no warranties expressed or implied.
Replies to newsgroup only.
"Bill" <Bill@discussions.microsoft.com> wrote in message
news:3636BC5D-44C3-49AA-906B-3DB171478049@microsoft.com...
> I know password policies are supposed to be applied to entire domains and
> if there is a requirement fore separate policies, a new child domain is
> required, but some testing I've done seemed to have contradicted that. If
> you set a user's properties to 'password never expires', you can overcome
> the
> password age setting at the domain level, and it seems this affects the
> password complexity requirement as well. While I'm prompted to change my
> password on an account who does not have the password never expires
> setting
> and when forced to change that password I'm also forced to adhere to the
> complex password policy, I am not forced to change my password on an
> account
> set to never expire and am therefore not required to adhere to the
> complexity
> requirement. Kind of a loophole I suppose. Has anyone else tried using
> this sort of 'fix' on accounts like service accounts?
Related ressources:
- ForumDefault Domain Policy
- ForumA policy to override the default domain policy ?
- ForumDomain Default Group Policy Password lockout setting
- ForumDefault Domain Policy Question
- ForumDeny Read to Default Domain Security Policy
- Forumdefault domain policy , password policy
- ForumDefault Domain Policy and auditing logons
- ForumDefault Domain Group Policy
- ForumDisabling the Default Domain Policy
- ForumRename administrator account policy affects domain admin u..
- ForumAccount policy works only at domain level
- ForumExclude Admin account from Account Locked out policy
- ForumHow do I exclude one user from the group policy regarding ..
- Forumexclude admin account in domain ou
- ForumDesktop folders do not open after default Domain policies ..
- ForumDeny policy not working
- Forumoverride domain policy ?
- Forum-help-my domain accounts are gettng LOCKED every few seconds
- ForumParallel and com ports not appearing in device manager
- ForumSetting Date Format in Group Policy
- More resources
!
