I'm facing a challenge with our service accounts since they're currently all set to "password never expires." We know this is a security risk, but turning that option off immediately forces a password change, which could break our services. What I'd like to find is a way to eliminate the 'password never expires' setting while still having a longer password lifetime (like 1365 days) than standard user accounts. We've looked into Windows LAPS, but it's mainly for local admin accounts and doesn't help with domain-based service accounts. I'd love to hear your strategies for managing this issue and how you've handled the transition without disrupting services!
6 Answers
Consider implementing a fine-tuned password policy! It allows you to set different policies for service accounts compared to regular users.
Have you looked into delegated Managed Service Accounts (dMSA)? Windows Server 2025 introduced them, and they could help in migrating old service accounts while providing password rotation capabilities. Just be aware of any security vulnerabilities they might have!
Group Managed Service Accounts (gMSA) might be just what you need! They automate password management and let Active Directory handle credential rotation for you. Check out Microsoft's overview on gMSA for more details!
gMSA works seamlessly with various services, scheduled tasks, and IIS app pools. They're such a game changer!
You can also look into managed service accounts (MSA or gMSA) that automatically handle password rotations. This could simplify your life significantly!
Honestly, we don't rotate our passwords. We've got service accounts that are over 15 years old, secure, and use complex, long passwords. It's worked fine for us so far.
But how do you define 'long'? I mean, length alone doesn't guarantee security.
Rotation helps guard against risks like old employee accounts and password breaches. I've seen plain-text passwords in unexpectedly vulnerable spots too. Just relying on complexity isn't enough.
That might work until your cybersecurity team brings it up as an issue. My scanner flags those as insecure.
If you're not keen on changing your existing setup, keep them on 'password never expires' but use some monitoring tools to regularly update and manage the passwords. I've set up scripts to alert us to upcoming changes, and we escalate any issues if a password isn't updated in time.
I’ve heard dMSA has some critical vulnerabilities that could expose your domain. I’d be cautious with that.