Re: Manage user account service password ?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I don't actually know of a particularly good way to do this. It tends to
vary by the application and how the password is stored. I'm sure some of
this can be automated though.

In my organization, it is typical to configure service accounts to have
non-expiring passwords. This is obviously not good from a security
standpoint, but when we've tried to do it otherwise, we often end up with
lockouts and outages of the service account during password change
operations. It is hard to get this right.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message
news:mn.1bd57d79c73c822c.70874@xxxxxxxxxxxxxxxxxxxxx
Hi Joe,

thank you for your answer.

I agree with what you said but do you know any way or methods to implement
an easy solution to change service passwords every 3 months for example ?

Even if the service account is associated to only one server and one
application, it's quite hard to change it in a big company with 100
servers.

Thank you.

The hard part is getting all of the persisted passwords updated in the
various places they are stored. They all aren't just Windows services,
but are often stored in configuration files, used by IIS or sucked into
random vendor apps and stored who knows how.

The only way to deal with that part of it in general is very careful
documentation and change control processes. It is also a good idea to
try to enforce "single use" for service accounts so that you don't have
to try to change multiple passwords in multiple different places
simultaneously, as that can easily lead to lockout issues.

2008 server with fine-grained password policy will at least make some of
those issues easier to deal with (disabling lockout for service accounts
and enforcing stronger passwords to compensate).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net

--
Pascal




.

Relevant Pages

  • Re: Cluster services with expiring passwords
    ... The corporate auditing requires that service accounts have their passwords ... I have a two-node SQL Server clustering and I'm looking for a way to ... check "Password never expire" on the account properties. ...
    (microsoft.public.windows.server.clustering)
  • Re: Manage user account service password ?
    ... Even if the service account is associated to only one server and one application, it's quite hard to change it in a big company with 100 servers. ... It is also a good idea to try to enforce "single use" for service accounts so that you don't have to try to change multiple passwords in multiple different places simultaneously, as that can easily lead to lockout issues. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Service accounts with password expiration
    ... If I modify passwords for clustering service accounts, ... keep running with no disruption? ...
    (microsoft.public.security)
  • Re: physical security
    ... You do not need tools to hack the dit-db, and ipsec just helps you to ... To retrieve the passwords I'll just need to start ... To prevent him to get the other accounts ... as passwords for your service accounts you can use very ...
    (microsoft.public.windows.server.active_directory)
  • Re: Manage user account service password ?
    ... The hard part is getting all of the persisted passwords updated in the ... to enforce "single use" for service accounts so that you don't have to try ... The recommended pratice is to set svc accounts pwd to never expire; ... You will have the option to set random pwds. ...
    (microsoft.public.windows.server.active_directory)