So we have deployed the Managed Service Accounts, and now we want a password policy set on them.. usually the service accounts have a different password policy set, so most of you will probably use PSO’s (Password Setting Object). In my demo I’ve set a new policy stating that the max age of a password is only 10 minutes ( msDS-MaximumPasswordAge: 0:00:10:00). I’ve set the PSO’s msDS-PSOAppliesTo attribute to be the Active Directory Group “Service Accounts” so that all managed service accounts that are member of this group MUST change their password every 10 minutes. For the sanity check, I’ve also created a simple useraccount and added that to the group also. Now we only needed to wait 10 minutes.. When logging in as the user onto the SQL box, I indeed got the message that I needed to change my password. My demo users’ pwdLastSet attribute indeed jumped from : 2/4/2009 4:58:20 PM W. Europe Standard Time; to pwdLastSet: 2/4/2009 5:28:05 PM W. Europe Standard Time;
Password policies can help administrators secure their environment, letting users change their passwords on regular basis makes it harder for hackers to get in to a system by guessing a password. There is one group of accounts though that usually do not have the password policy applied to.. they almost never change their password and when they do.. it is a load of work for the admin, there is service downtime involved.. and after the password has been changed.. it will be not be changed for a long time.. Yes, I’m talking about Service Account.. the accounts administrators usually apply the “Password Never Expires” option to. These accounts usually have more rights to systems, perhaps even local Administrator access to machines (like SQL or mail) or even worse (Don’t tell me you have these in place) Domain Admin rights. Changing passwords for these accounts is crucial to the security of your environment. To make life easier Windows 2008 R2 introduces the Managed Service Accounts, with these, you can easily change the password of an account, and the client computers where these service accounts are operational will change the password in the service configuration.