Password Policy

[The Daddy]

I need to have a password policy within my Active
Directory domain. However, password policies can only be
set at domain level meaning that it is basically all or
nothing. The problem with this is that there are
important domain accounts that start services on servers
and a regular password change of these accounts would
cause mayhem.

Can somebody please tell me how i can get around this and
have a password policy on the domain.

 

[Laura E. Hunter \(MVP\)]

If you manually set the password properties on your service accounts (in the
Property sheets in ADUC) to "Password never expires", this will override the
domain account policy.

However, service accounts are a common attack vector because every hacker on
the planet knows that you're going to do this. (Why? Because just about
everyone does.) So you should include "manually change the service account
passwords and restart the services" as a part of your ongoing network
maintenance.