Educause Security Discussion mailing list archives

Re: Active Directory Password Policy for functional accounts?

From: "Fowler, Stephen" <steve.fowler () OREGONSTATE EDU>
Date: Sat, 8 Dec 2012 00:37:37 +0000

If you're looking for an application, rather than scripting something I've found that the ADInfo tool from 
(http://www.cjwdev.co.uk/) allows me to run a report that not only contains the last logon, but also whether the "User 
cannot change password" is set, the last bad password date, the parent container/ou path, and much more.  The free 
version has lots of canned queries, but the for fee version will allow you to do customized reports.

They also have a free application, ADTidy, that just searches on last logon attribute.

If you're running Windows 2008 R2 you may also want to look into Managed Service Accounts.  They are a special type of 
domain account in Windows Server 2008 R2 that can be used to run Windows services, but unlike normal domain accounts 
you don't have to keep changing the password to keep things secure - Active Directory will take care of managing the 
password for you and communicating this with the computer that is using the Managed Service Account (you don't even 
have to restart the services for the password change to take effect.  The reason I mention it is that CJWDev has a free 
gui tool that helps create, install and uninstall MSAs so you don't have to use powershell.

Steve Fowler
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad Judy
Sent: Monday, December 03, 2012 7:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Active Directory Password Policy for functional accounts?

You can use the LastLogon attribute for the housecleaning aspect and disable accounts that haven't logged in for X days.

Brad Judy

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rick 
Baker
Sent: Monday, December 03, 2012 6:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Active Directory Password Policy for functional accounts?

We are wondering what other higher education institutions are doing with their functional accounts in active directory. 
 The functional accounts are for service purposes that we implemented 180 days password policy but service could break 
after the password expires - some are asking to enable "password never expires" (PNE) on these accounts.

Other question is if we enable PNE on accounts, how do you keep track of which accounts are being in use or not for 
"housekeeping" to keep our active directory clean?

Rick

Current thread:

Active Directory Password Policy for functional accounts? Rick Baker (Dec 03)
- Re: Active Directory Password Policy for functional accounts? Brad Judy (Dec 03)
  - Re: Active Directory Password Policy for functional accounts? Fowler, Stephen (Dec 07)