Re: password expiration policy for admin and system accounts ?

From: Brad Baker (brad_at_nospam.nospam)
Date: 10/21/05

• Next message: Imhotep: "Re: Windows chokes on latest Microsoft patch"
• Previous message: Steven L Umbach: "Re: Locking down Event Viewer"
• In reply to: Joe Richards [MVP]: "Re: password expiration policy for admin and system accounts ?"
• Next in thread: Herb Martin: "Re: password expiration policy for admin and system accounts ?"
• Reply: Herb Martin: "Re: password expiration policy for admin and system accounts ?"
• Reply: Roger Abell [MVP]: "Re: password expiration policy for admin and system accounts ?"
• Reply: Joe Richards [MVP]: "Re: password expiration policy for admin and system accounts ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 21 Oct 2005 16:07:50 -0400

We face a similar problem. We would like to change several of our
administrative passwords but are concerned about the problems that will be
created as a result. We have legacy applications as well as services and
scheduled tasks that use various administrative accounts. Changing the
passwords on the accounts that run those applications/services/tasks would
likely result in dozens of services, tasks and programs not working.

Even if we managed to go through and find every place to update the password
throughout our infrastructure there is some concern that some of the updates
may not take effect. For instance, during the installation of our old
exchange server, the wrong password was specified for an administrative
account which starts several key exchange services. Updating the password in
the services applet did not fix this problem. Thus every time the exchange
server was rebooted several exchange services would not automatically start
until an admin re-entered the password and manually startup the services. If
this happened to other applications because of a password change, it would
be a nightmare.

Thankfully our admin passwords are quite complex but it is disconcerting
that we do not feel confident that changing them would not cause major
disruption. I'd also welcome feedback from anyone who has done this in an
enterprise environment (I.E. 30+ servers running many different server
applications such as SQL, IIS, Exchange, backup software, legacy apps etc)

"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:uvO65Wd1FHA.1564@tk2msftngp13.phx.gbl...
> Hell I would and do object as well.
>
> http://blog.joeware.net/2005/05/08/10/
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> JJ wrote:
>> Our auditors are objecting to our having Domain Administrator and domain
>> system accounts with passwords that never expire.
>>
>> Yes, we change some of these passwords from time to time, but they're
>> normally set to never expire.
>>
>>
>> We are wondering about how other companies do it, since we've never heard
>> of
>> any IT Dept. that had such a policy, and we think the auditors are being
>> unreasonable -- forcing password expiration on such accounts could be a
>> logistical nightmare as it would cause critical services to stop running.
>>
>> We're not that big, but we do have about 30 servers and 200 users to
>> support. There's only 1 Win2K domain, with Exchange 2K, SQL and other
>> resource servers.
>>
>> Please post your experiences and opinions.
>>
>> Thanks.
>>

• Next message: Imhotep: "Re: Windows chokes on latest Microsoft patch"
• Previous message: Steven L Umbach: "Re: Locking down Event Viewer"
• In reply to: Joe Richards [MVP]: "Re: password expiration policy for admin and system accounts ?"
• Next in thread: Herb Martin: "Re: password expiration policy for admin and system accounts ?"
• Reply: Herb Martin: "Re: password expiration policy for admin and system accounts ?"
• Reply: Roger Abell [MVP]: "Re: password expiration policy for admin and system accounts ?"
• Reply: Joe Richards [MVP]: "Re: password expiration policy for admin and system accounts ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: IMAP services unresponsive ... With IMAP4SVC diagnostic logging on Maximum the following error appears: ... An error occurred calling into the Microsoft Exchange Information Store ... Either just before, during or after this error shows up, the IMAP server ... > re-enter the passwords to no avail. ... (microsoft.public.exchange.admin) RE: IMAP Services Unresponsive ... With IMAP4SVC diagnostic logging on Maximum the following error appears: ... An error occurred calling into the Microsoft Exchange Information Store ... Either just before, during or after this error shows up, the IMAP server ... > re-enter the passwords to no avail. ... (microsoft.public.exchange2000.admin) Re: no network access from workstations ... group on that computer is what you expect and change any administrator passwords ... being sure new passwords are complex. ... using weak passwords and no firewall or misconfigured firewall, ... > I have a Windows 2000 server in a peer to peer network. ... (microsoft.public.win2000.networking) Re: password expiration policy for admin and system accounts ? ... administrative passwords but are concerned about the problems that will be ... account which starts several key exchange services. ... server was rebooted several exchange services would not automatically start ... >> Our auditors are objecting to our having Domain Administrator and domain ... (microsoft.public.win2000.security) Re:SOLVED: MAJOR Questions for an MS-MVP :SOLVED ... Both had to be Adutils back into the IIS config and the passwords had to be reset. ... Then run iisrest and restart the Exchange services.. ... > server to server. ... (microsoft.public.inetserver.iis.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint