none
Password Complexity - Exclude Service Accounts

    Question

  • Hi,

    our domain has no password complexity requirements group policy setting configured.

    for obvious security reasons I am about to create a new GPO at the domain level and configure the need for password complexity. (30 day expiration, strong password, etc) 

    I am aware that this policy has to be set at domain level and will apply to all accounts in the domain.

    My Question is, how can i ensure this policy does not apply to my service accounts? i.e backup account, domain administrator, DNS DHCP credentials account, etc.

    Many thanks

    Shazz
    Thursday, November 19, 2009 1:25 AM

Answers

  • Hi Shazz,
     The password policy is a computer setting. If you are using a Windows Server 2003 domain or earlier, the policy can only be set at the domain level which will take effect on all computers on the domain, including domain controllers and will therefore impact all accounts. There is no way to directly exclude users. 
     One possible workaround is to prevent those passwords from expiring (since the policy is only applied during password changes). If you need to change those password regularly, you can do it on a scheduled basis and turn off the complexity during the password change process.

    Alternatively, if your domain is Windows 2008 functional level or higher, you can use fine grained password policies to create a separate policy for those account only.

    Guy
    Thursday, November 19, 2009 2:07 AM
  • Correct, if you check the 'Password Never Expires' box, the passwords will never need ot be changed. The rest of the elements of the password policy are only evaluated when a password is changed so they won't ever apply to the service accounts.

    Guy
    • Marked as answer by ShazzAus Friday, November 20, 2009 1:50 AM
    Thursday, November 19, 2009 5:55 PM

All replies

  • Hi Shazz,
     The password policy is a computer setting. If you are using a Windows Server 2003 domain or earlier, the policy can only be set at the domain level which will take effect on all computers on the domain, including domain controllers and will therefore impact all accounts. There is no way to directly exclude users. 
     One possible workaround is to prevent those passwords from expiring (since the policy is only applied during password changes). If you need to change those password regularly, you can do it on a scheduled basis and turn off the complexity during the password change process.

    Alternatively, if your domain is Windows 2008 functional level or higher, you can use fine grained password policies to create a separate policy for those account only.

    Guy
    Thursday, November 19, 2009 2:07 AM
  • Hi Guy,

    the domain is server 2003.

    I don't want the passwords for the service accounts to ever expire or need to be changed.

    So if i enable the password complexity for the domain, then on the individual service accounts tick the box on thier profile in AD for "password never expires" will that mean that these accounts will be exempt from ever needing to be changed again? (provided they meet the other requirements)

    thanks

    shazz
    Thursday, November 19, 2009 4:01 AM
  • Correct, if you check the 'Password Never Expires' box, the passwords will never need ot be changed. The rest of the elements of the password policy are only evaluated when a password is changed so they won't ever apply to the service accounts.

    Guy
    • Marked as answer by ShazzAus Friday, November 20, 2009 1:50 AM
    Thursday, November 19, 2009 5:55 PM
  • Thanks Guy, i thought this was the case, just needed some confirmation.

    have a great day.

    cheers

    shazz
    Friday, November 20, 2009 1:51 AM