RE: Changing the domain password policy

["Scott Ramsdell" <Scott.Ramsdell () cellnet com>]

Gary,

You are correct.  The new requirements will be enforced at the next
password change.

Because service accounts are frequently set to not expire, ensure those
passwords are long and complex, known to only who needs to know, and
documented in the appropriate location.

I always lumped my service accts into one OU.  This OU was exempted from
my script that toggled 'user must change password at next login'.  This
script was run when IT staff left.

A good rule to remember when creating service accounts is that vendors
lie, and their service accounts probably do not need domain admin
rights.

Best Regards,
Scott Ramsdell


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Gary Collis
Sent: Thursday, February 01, 2007 2:47 PM
To: security-basics () lists securityfocus com
Subject: Changing the domain password policy

Hi All,

I wish to amend my windows domain policy to include passowrd complexity 
and minimum length. However I have a bunch of service accounts, of which

I do not know all. These passswords are set in AD to not expire. Am I 
right in thinking that the changes to the domain password policy will 
not effect the accounts that have this attribute set in AD, until these 
passwords are actually changed?

How do other people deal with service accounts and their adherence to 
domain password policys?

Thanks,