RE: Changing the domain password policy

["Roger A. Grimes" <roger () banneretcs com>]

ALL user and service accounts should have expiring passwords. Service
accounts are additionally problematic because you must change the
password on the locally affected computer (lsa store) and in the
authentication service database where the account resides (i.e. Active
Directory or SAM).

Search for Don Jones' excellent service account password changing
script, or others like it located on the web. Essentially you put the
service account name and password into an external list or spreadsheet,
and then run the script. It will change the password on all the affected
machines.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes () infoworld com or roger () banneretcs com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Gary Collis
Sent: Thursday, February 01, 2007 2:47 PM
To: security-basics () lists securityfocus com
Subject: Changing the domain password policy

Hi All,

I wish to amend my windows domain policy to include passowrd complexity
and minimum length. However I have a bunch of service accounts, of which

I do not know all. These passswords are set in AD to not expire. Am I
right in thinking that the changes to the domain password policy will
not effect the accounts that have this attribute set in AD, until these
passwords are actually changed?

How do other people deal with service accounts and their adherence to
domain password policys?

Thanks,