Security Basics mailing list archives
RE: Changing the domain password policy
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 2 Feb 2007 16:57:58 -0500
ALL user and service accounts should have expiring passwords. Service accounts are additionally problematic because you must change the password on the locally affected computer (lsa store) and in the authentication service database where the account resides (i.e. Active Directory or SAM). Search for Don Jones' excellent service account password changing script, or others like it located on the web. Essentially you put the service account name and password into an external list or spreadsheet, and then run the script. It will change the password on all the affected machines. Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger_grimes () infoworld com or roger () banneretcs com *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 ***************************************************************** -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Gary Collis Sent: Thursday, February 01, 2007 2:47 PM To: security-basics () lists securityfocus com Subject: Changing the domain password policy Hi All, I wish to amend my windows domain policy to include passowrd complexity and minimum length. However I have a bunch of service accounts, of which I do not know all. These passswords are set in AD to not expire. Am I right in thinking that the changes to the domain password policy will not effect the accounts that have this attribute set in AD, until these passwords are actually changed? How do other people deal with service accounts and their adherence to domain password policys? Thanks,
Current thread:
- Changing the domain password policy Gary Collis (Feb 02)
- RE: Changing the domain password policy Huang, John, GCM (Feb 02)
- RE: Changing the domain password policy Roger A. Grimes (Feb 05)
- RE: Changing the domain password policy Scott Ramsdell (Feb 02)
- RE: Changing the domain password policy Roger A. Grimes (Feb 05)
- RE: Changing the domain password policy Depp, Dennis M. (Feb 02)
- Re: Changing the domain password policy Mike Devlin (Feb 02)
- Re: Re: Changing the domain password policy David Grant (Feb 05)
- Re: Changing the domain password policy Raoul Armfield (Feb 06)
- <Possible follow-ups>
- Re: Changing the domain password policy krymson (Feb 02)
- Re: Changing the domain password policy test (Feb 07)
- RE: Changing the domain password policy Huang, John, GCM (Feb 02)