Re: Enforce "Password Never Expires" Setting?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

you can only have 1 password policy in a domain, so you could set the maximum password age to 0 but it would affect all your user accounts in your domain.

If you had windows server 2008, you could utilize the fine grained password feature. This feature allows you to configure a different password policy (called a PSO -password setting object) to a user or group. You cannot apply it to an OU, however.

So in your case, you would have to create a shadow group (a group that includes all the members of an OU), add all your service accounts to the shadow group, create a PSO that sets the maximum password age to 0, and apply the PSO to the shadow group that you created.

--
Take care,

David
http://dcraige27.blogspot.com

"John Liles" <JohnLiles@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:9BF0DA21-6DAC-4C70-9DA4-553B959F9370@xxxxxxxxxxxxxxxx
Does anyone know of a way to use group policy to enforce the user account
setting "password never expires?" I have an OU that contains only service
accounts, and it's important that these not have their passwords require
periodic change.

I've looked at group policy settings for user configuration and don't find
anything that would accomplish this. I've also found some possible scripts
to set the "password never expires" attribute, but I don't see how I could
use group policy to push such a script to the service accounts; a logon or
logoff script would seem moot since the service account never actually logs
on to a computer.

Any help would be appreciated!

JL

--
JL

.

Relevant Pages

  • Re: Password policy at the OU level
    ... Checkpoint issues with PPTP go back to the origin, ... >I would suggest that either you get their outbound VPN ... >password policy is enforced at the domain controllers. ... How do I handle service accounts? ...
    (microsoft.public.windows.group_policy)
  • Domain Password Policy
    ... The only password policy we currently enforce in our 1 domain is a minimum ... Minimum password length - 8 characters ... We currently have numerous damain service accounts that do NOT meet the ...
    (microsoft.public.win2000.security)
  • Re: Re: Changing the domain password policy
    ... You deal with the Service Account passwords by making them comply with your password policy. ... you can create as many different password policies as you like - the Domain Password Policy will be the one actually applied to all users. ... I suppose that if you wanted to be extra safe, you could make a policy just for the service accounts, and have a different set of password requirements for these accounts, and have the default domain policy have the stronger password complexity settings. ...
    (Security-Basics)
  • RE: Group Policy: multiple password policies in the same domain?
    ... > There can be only one password policy for the domain. ... > (backup, Exchange, SQL Server, Scheduled Tasks, etc.) where I ... > service accounts have a certain password policy while regular ... > Derick Anderson ...
    (Focus-Microsoft)
  • Re: Reasons and examples for security
    ... As far as password policy I would use the Microsoft document called ... "Threats and Countermeasures" to help build your case. ... The Maximum password age setting determines the number of days that a ... doing so will result in a major security risk. ...
    (microsoft.public.security)