Windows Server TechCenter >
Windows Server Forums
>
Group Policy
>
Password Complexity - Exclude Service Accounts
Password Complexity - Exclude Service Accounts
- Hi,
our domain has no password complexity requirements group policy setting configured.
for obvious security reasons I am about to create a new GPO at the domain level and configure the need for password complexity. (30 day expiration, strong password, etc)
I am aware that this policy has to be set at domain level and will apply to all accounts in the domain.
My Question is, how can i ensure this policy does not apply to my service accounts? i.e backup account, domain administrator, DNS DHCP credentials account, etc.
Many thanks
Shazz
Answers
- Hi Shazz,The password policy is a computer setting. If you are using a Windows Server 2003 domain or earlier, the policy can only be set at the domain level which will take effect on all computers on the domain, including domain controllers and will therefore impact all accounts. There is no way to directly exclude users.One possible workaround is to prevent those passwords from expiring (since the policy is only applied during password changes). If you need to change those password regularly, you can do it on a scheduled basis and turn off the complexity during the password change process.Alternatively, if your domain is Windows 2008 functional level or higher, you can use fine grained password policies to create a separate policy for those account only.Guy
- Proposed As Answer byJorge Mederos Thursday, November 19, 2009 2:26 AM
- Marked As Answer byMervyn ZhangMSFT, ModeratorMonday, November 23, 2009 9:46 AM
- Correct, if you check the 'Password Never Expires' box, the passwords will never need ot be changed. The rest of the elements of the password policy are only evaluated when a password is changed so they won't ever apply to the service accounts.Guy
- Marked As Answer byShazzAus Friday, November 20, 2009 1:50 AM
All Replies
- Hi Shazz,The password policy is a computer setting. If you are using a Windows Server 2003 domain or earlier, the policy can only be set at the domain level which will take effect on all computers on the domain, including domain controllers and will therefore impact all accounts. There is no way to directly exclude users.One possible workaround is to prevent those passwords from expiring (since the policy is only applied during password changes). If you need to change those password regularly, you can do it on a scheduled basis and turn off the complexity during the password change process.Alternatively, if your domain is Windows 2008 functional level or higher, you can use fine grained password policies to create a separate policy for those account only.Guy
- Proposed As Answer byJorge Mederos Thursday, November 19, 2009 2:26 AM
- Marked As Answer byMervyn ZhangMSFT, ModeratorMonday, November 23, 2009 9:46 AM
- Hi Guy,
the domain is server 2003.
I don't want the passwords for the service accounts to ever expire or need to be changed.
So if i enable the password complexity for the domain, then on the individual service accounts tick the box on thier profile in AD for "password never expires" will that mean that these accounts will be exempt from ever needing to be changed again? (provided they meet the other requirements)
thanks
shazz - Correct, if you check the 'Password Never Expires' box, the passwords will never need ot be changed. The rest of the elements of the password policy are only evaluated when a password is changed so they won't ever apply to the service accounts.Guy
- Marked As Answer byShazzAus Friday, November 20, 2009 1:50 AM
- Thanks Guy, i thought this was the case, just needed some confirmation.
have a great day.
cheers
shazz
