Password Expiration Flag (gpo) vs Domain Admins RRS feed

  • Question

  • Hi There,

    I've a complex situation on my enviroment (more that 45k users).

    We have a global gpo that impose that the passwords must be changed every 30 days for all users.

    The problem is that we have several indipendent offices that requires a domain admin users to manage local applications and users (like exchange etc etc...). I've just discovered that some of these users have removed from some accounts the password expiration account and then there's a hole in security enviroment.

    - I cannot change or degrade the security level of these users... they must be domain admin

    - Some service accounts must have the password expiration flag selected to avoid that some services would not work after some time

    - My idea, if possible, is to create a gpo that rewrite the password expiration flag for all users and another Ou where the service accounts could exist without the password expiration.

    - For what i noticed, if a Domain Admin sets to a users do not let password expire the gpo would not apply. It is correct?

    If there's no way to solve this problem, there's a trick to check automaticly if any Domain Admin has changed the password expiration flag on the users?

    thank you in advance


    Tuesday, June 25, 2013 8:24 AM


All replies