Re: Re: Changing the domain password policy

["David Grant" <dpgrant () blueyonder co uk>]

You deal with the Service Account passwords by making them comply with your 
password policy.

A point to note - 1 domain 1 password policy.
you can create as many different password policies as you like - the Domain 
Password Policy will be the one actually applied to all users.


----- Original Message ----- 
From: "Mike Devlin" <mdevlin () boston com>
Cc: <security-basics () lists securityfocus com>
Sent: Friday, February 02, 2007 7:17 PM
Subject: [Norton AntiSpam] Re: Changing the domain password policy


> yes, you are right that if you change the password complexity 
> requirements/minimum length, all the accounts that don't meet the new 
> requirements are fine until their password expires or is forced to rotate. 
> I suppose that if you wanted to be extra safe, you could make a policy 
> just for the service accounts, and have a different set of password 
> requirements for these accounts, and have the default domain policy have 
> the stronger password complexity settings.
>
>                                           - Mike
>
> Gary Collis wrote:
> > Hi All,
> >
> > I wish to amend my windows domain policy to include passowrd complexity 
> > and minimum length. However I have a bunch of service accounts, of which 
> > I do not know all. These passswords are set in AD to not expire. Am I 
> > right in thinking that the changes to the domain password policy will not 
> > effect the accounts that have this attribute set in AD, until these 
> > passwords are actually changed?
> >
> > How do other people deal with service accounts and their adherence to 
> > domain password policys?
> >
> > Thanks,