Re: password expiration policy for admin and system accounts ?
From: Brad Baker (brad_at_nospam.nospam)
Date: Fri, 21 Oct 2005 16:07:50 -0400
We face a similar problem. We would like to change several of our
administrative passwords but are concerned about the problems that will be
created as a result. We have legacy applications as well as services and
scheduled tasks that use various administrative accounts. Changing the
passwords on the accounts that run those applications/services/tasks would
likely result in dozens of services, tasks and programs not working.
Even if we managed to go through and find every place to update the password
throughout our infrastructure there is some concern that some of the updates
may not take effect. For instance, during the installation of our old
exchange server, the wrong password was specified for an administrative
account which starts several key exchange services. Updating the password in
the services applet did not fix this problem. Thus every time the exchange
server was rebooted several exchange services would not automatically start
until an admin re-entered the password and manually startup the services. If
this happened to other applications because of a password change, it would
be a nightmare.
Thankfully our admin passwords are quite complex but it is disconcerting
that we do not feel confident that changing them would not cause major
disruption. I'd also welcome feedback from anyone who has done this in an
enterprise environment (I.E. 30+ servers running many different server
applications such as SQL, IIS, Exchange, backup software, legacy apps etc)
"Joe Richards [MVP]" <email@example.com> wrote in message
> Hell I would and do object as well.
> Joe Richards Microsoft MVP Windows Server Directory Services
> JJ wrote:
>> Our auditors are objecting to our having Domain Administrator and domain
>> system accounts with passwords that never expire.
>> Yes, we change some of these passwords from time to time, but they're
>> normally set to never expire.
>> We are wondering about how other companies do it, since we've never heard
>> any IT Dept. that had such a policy, and we think the auditors are being
>> unreasonable -- forcing password expiration on such accounts could be a
>> logistical nightmare as it would cause critical services to stop running.
>> We're not that big, but we do have about 30 servers and 200 users to
>> support. There's only 1 Win2K domain, with Exchange 2K, SQL and other
>> resource servers.
>> Please post your experiences and opinions.