Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Domain Password Policy

1 view
Skip to first unread message

Dan

unread,
Apr 13, 2006, 7:51:01 PM4/13/06
to
Hello Everyone,
I am getting ready to enforce stronger passwords on the domain. However, we
have a lot of automatic scripts/jobs that run depending on the machine. For
instance on my pc I have an access database that loads and runs through the
windows scheduler. However, if my password changes which it does the program
quits running. Is there away I can prevent this so I can ensure all of our
jobs/scripts will continue to run even if a password is expired or changed
due to the domain password policy.
Thanks
Dan

Lanwench [MVP - Exchange]

unread,
Apr 13, 2006, 10:24:01 PM4/13/06
to

In news:746B1C59-4516-46F1...@microsoft.com,
Dan <D...@discussions.microsoft.com> typed:

You can set up separate service accounts, with passwords that don't expire,
if you need to. That said, I'd say that it's best to avoid running anything
like this from your desktops. It would be better to get everything
centralized on your servers.


Dan

unread,
Apr 13, 2006, 11:44:02 PM4/13/06
to
Hello and thanks for your quick response.
I agree we pretty much have one pc that acts as an application server that
handles the scripts. It does require both local pc admin access and some
rights to the server.

So if I understand correctly we can set an account for this pc which will
not be affected by the domain security policy. How would this work? Don't
all accounts get affected by the domain policy. I greatly appreciate your
help.
Thanks
Dan

Lanwench [MVP - Exchange]

unread,
Apr 14, 2006, 12:21:47 AM4/14/06
to

In news:37B32174-612F-4568...@microsoft.com,
Dan <D...@discussions.microsoft.com> typed:


> Hello and thanks for your quick response.
> I agree we pretty much have one pc that acts as an application server
> that handles the scripts. It does require both local pc admin access
> and some rights to the server.

No way to stick that on a real server that isn't accessible to users? Eh,
what are you going to do.


>
> So if I understand correctly we can set an account for this pc which
> will not be affected by the domain security policy. How would this
> work? Don't all accounts get affected by the domain policy.

Yes, but in the account properties in ADUC you can tick the box that
prevents the password from ever expiring.

> I
> greatly appreciate your help.

HTH.

Ken Aldrich

unread,
Apr 14, 2006, 6:13:13 PM4/14/06
to
My recommendation:
Create service accounts with REALLY strong passwords. Set the passwords to
never expire.
Put the service accounts in an OU that is not susceptible to the GPO that
has your password policy settings in it.
Set a reminder on your calendar to periodically update your scripts and
accounts with new passwords.

--
Ken Aldrich
DSRAZOR for Windows
Visual Click Software, Inc.
www.visualclick.com

"Lanwench [MVP - Exchange]"
<lanw...@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:Oi$E9uAYG...@TK2MSFTNGP03.phx.gbl...

Dan

unread,
Apr 15, 2006, 8:21:02 PM4/15/06
to
Thanks so much, that is what I needed. Yeah, the pc is in a locked room that
acts as an application server. So I guess it is kind of a server, but just
has XP Pro instead of the server software.

I thought the domain policy would override the tick that never expires.
This is good to know so we can create one service account where the password
never expires. Thanks so much for all the help.

This is truly what I wanted to know. Because from what I have heard you cant
set a password policy at the ou level it always had to be the domain level
and I was afraid that the few programs we use to run through windows
scheduler would quit working with the one service account that we use.

So basically set an domain security policy with one account for services and
click do not expire and this truly wont expire with the domain policy.

Thanks so much 1 problem down 1 to go,

0 new messages