Administrator Password Never Expires

[Guest]

It would appear when auditing various domains that the Administrator account in the domain has the "password never expires" block checked and the box is disabled (read: greyed out) so that setting cannot be changed to make the domain administrator password expire.

Is there a way to make the account expire (or at least ask/force the account to change the password)?

Thanks in advance!
Jeremy Shelley, MCSE, CISSP

P.S. I know it's not exactly a good idea to have your Domain Administrator account expire but governmental rules are governmental rules.

 

[Marco]

it could be related to accounts created at OS install. Have you tried to
create an account and make it member of the same groups? I believe (but I
have not tested ..) that that way you should be able to set/clear the
option.

cheers,

Marco

--
Execute applications with elevated privileges [ www.neovalens.com ]
--

It would appear when auditing various domains that the Administrator

account in the domain has the "password never expires" block checked and the
box is disabled (read: greyed out) so that setting cannot be changed to
make the domain administrator password expire.

Is there a way to make the account expire (or at least ask/force the

account to change the password)?

Thanks in advance!
Jeremy Shelley, MCSE, CISSP

P.S. I know it's not exactly a good idea to have your Domain Administrator

account expire but governmental rules are governmental rules.

 

[Steven L Umbach]

I believe that is hard coded into the operating system and can not be easily
changed [I know of no way]. You can use passprop to lockout that account to
network logon attempts but never to console logon at a domain controller. In
Windows 2003 you can disable the built in administrator account except to
safe mode logon. --- Steve

It would appear when auditing various domains that the Administrator

account in the domain has the "password never expires" block checked and the
box is disabled (read: greyed out) so that setting cannot be changed to
make the domain administrator password expire.

Is there a way to make the account expire (or at least ask/force the

account to change the password)?

Thanks in advance!
Jeremy Shelley, MCSE, CISSP

P.S. I know it's not exactly a good idea to have your Domain Administrator

account expire but governmental rules are governmental rules.

 

[John Wessell]

Why not audit the PasswordLastSetTime field to make sure the admins are, in
fact, following the reg? I use Dumpsec
(http://www.systemtools.com/somarsoft) to dump the directory listing of user
accounts to a CSV then import it to MSAccess. Works very well to catch
admins who set their own accounts' passwords to never expire.

HTH

John

I believe that is hard coded into the operating system and can not be easily
changed [I know of no way]. You can use passprop to lockout that account to
network logon attempts but never to console logon at a domain controller. In
Windows 2003 you can disable the built in administrator account except to
safe mode logon. --- Steve

It would appear when auditing various domains that the Administrator

account in the domain has the "password never expires" block checked and the
box is disabled (read: greyed out) so that setting cannot be changed to
make the domain administrator password expire.

Is there a way to make the account expire (or at least ask/force the

account to change the password)?

Thanks in advance!
Jeremy Shelley, MCSE, CISSP

P.S. I know it's not exactly a good idea to have your Domain

Administrator
account expire but governmental rules are governmental rules.