General discussion

  • Creator
  • #2188943

    Password expiration policy for admin and system accounts ?


    by theyeti ·

    Our auditors are objecting to our having Domain Administrator and domain system accounts with passwords that never expire.

    Yes, we change some of these passwords from time to time, but they’re normally set to never expire.

    We are wondering about how other companies do it, since we’ve never heard of any IT Dept. that had such a policy, and we think the auditors are being
    unreasonable — forcing password expiration on such accounts could be a logistical nightmare as it would cause critical services to stop running.

    We’re not that big, but we do have about 30 servers and 200 users to support. There’s only 1 Win2K domain, with Exchange 2K, SQL and other
    resource servers.

    Please post your experiences and opinions.


All Comments

  • Author
    • #3060738

      Expiration = Necessary Evil

      by billbohlen@hallmarkchannl ·

      In reply to Password expiration policy for admin and system accounts ?

      We have the same problem. Auditors pay very special attention to Domain Admins and for very good reason.
      Our domain policy forces complex passwords, 60 day expiration, and can’t use last 10 passwords.
      However as you state, this is a logistical nightmare with service accounts (such as ones for Scheduled Tasks and Services) that do not use pass-thru authentication. Every time the password expires, automation stop working.
      We’ve tried removing service accounts from Domain Admins, but applying individual rights to each server was even more of a logistical nightmare.
      What we’ve done is create a set of “Enterprise Service Accounts”. These accounts are the only ones where passwords are set to never expire. The passwords are only known by the CIO and IT management and under lock and key. Any time a task needs changed or an enterprise app needs a service account, the CIO or IT manager must provide the password.

      • #3060600

        Basically same approach

        by charliespencer ·

        In reply to Expiration = Necessary Evil

        Only the IT manager and the two senior network administrators know the domain Administrator p/w. This is set to expire, but since I don’t know or use it, I don’t know the schedule.

        Those techs that require it have accounts in the Domain Admins group, separate from their “day to day” user accounts. These admin accounts’ passwords expire every 90 days.

        There are two “services only” accounts, one for each of our two sites. These have fixed p/w’s known to the senior personnel at each site. Each site’s service account password, along with the domain Admin p/w, are also stored in the safe at the other site for disaster recover purposes.

    • #3044464

      Hey, are you in my company? ;-)

      by geobeck ·

      In reply to Password expiration policy for admin and system accounts ?

      Got the same problem, but a much simpler solution: we just ignore the occasional requests from head office to change our admin passwords.

    • #3120257

      In the same boat

      by kenkrause ·

      In reply to Password expiration policy for admin and system accounts ?

      My company is required to undergo a full on-site security audit annually. Part of their requirements is that we change administrative and service account passwords every 90 days. For convenience sake, it’s much easier to create these administrative and service account passwords with no expration date. The problem this causes is that security auditors will write you up in a heartbeat, and they have some very valid and obvious reasons for doing so. Another problem is the expiration of these passwords can cause services to stop funcitoning when they have expired. Timely change is required! What we have done is to create the accounts with passwords that never expire, but we still change them regularly.

      I’m looking for a tool that will make management of these passwords more automated or at least less time consuming. I have a list of servers which also includes services running under domain accounts. First, I change the account passwords in Active Directory, then I move to each server changing the local administrator password, and reconfiguring any services with the new password for the service account. This takes time and in some cases, the service account fails because of the time it takes to complete the rounds and get to all servers before re-authentication is triggered.

      What I would like is to be able to open a GUI listing all my servers and the services on them, enter the new password and click to send the change. A restart of the service would be an optional checkbox item since the order in which our services start is critical.

    • #2629767

      Domain Password Expiration Policy Reminder Software

      by klewis ·

      In reply to Password expiration policy for admin and system accounts ?

      We feel your pain, and are very familiar with IT audit processs surrounding SOX / HIPAA / PCI, etc.
      These days the audit requirements are becoming increasingly strict in regards to maintaining ‘adequate’ internal account security, and enforcing a unified password change policy is essential.

      Please have a look at our software Password Reminder PRO htp:// –

      Completely free to use for two months, and overall pretty low cost to buy. Our software is designed to help you manage and enforce password expirations, and proactively notifes users of upcoming password changes.
      Super easy to install (5 mins!) and no scripting / domain changes required.

      We designed this software to specficially help out with your account management problems, and have customers with upwards of 70,000 users successfully managing their password expiring users with Password Reminder PRO.

Viewing 3 reply threads