August 24, 2007 at 6:40 am
We are implementing a new password policy in our active directory environment using Group Policy. The new password policy is:
§ Minimum seven characters.
§ Complex: uppercase, lowercase, number, symbol.
§ Passwords reset every 120 days.
§ Cannot reuse passwords.
§ Account lockout after five failed attempts.
The only policy we have an issue with is the reset every 120 days. We only have around 20 SQL servers here but that means that every 120 days, actually less than that, we have to schedule downtime with each server & change the password on every of the services that runs under a domain account. Currently all of our SQL Services run under the same service account & SQL agents run under another service account. So when the password are forced to change, all servers will go down & need to be reset at the same time.
Our system administrator has said that the group policy includes every account in the domain & we cannot exclude any accounts or groups out of this. I find this hard to believe but maybe it is that way.
So, my question to the masses is how do you all deal with this? Here are the options we have come up with:
1. Go through every 120 days & reset the password on every one of our servers which includes touching SQL Server, sql agent, reporting services, SSIS, SQL Backup agent, etc... Even with only 20 servers, this would take an entire day or weekend.
2. Have every SQL Services run under a different account so then it will be easier to schedule down time a system at a time although we will still need to touch each & every system.
3. Some how automate this manual process with a script so we can run it & it changes all the services on all the servers for us. I don't know if this is even possible or not.
4. Figure out how to exclude these service accounts out of the group policy.
My final question is how do people deal with this on servers that are supposed to be up 24/7? Do you just schedule downtime every 120 days?
I would appreciate any & all input you have to offer.
Thanks,
John
August 24, 2007 at 7:00 am
We have exclusions for our service accounts within group policy. The admin may not know or may just be telling you that because he doesn't want to deal with the hassle. If I recall correctly, the service accounts can be put in thier own OU and a different policy can be applied to them.
August 24, 2007 at 7:19 am
The service accounts are already within their own OU. He said group policy would not allow you to exclude any OUs. I think he honestly does not how to do it. Is there any quick tips you may be able to offer on how to pull it off?
August 24, 2007 at 7:58 am
It's simple
Go into the information for your service account and flag it as not expiring on the accout tab. You can also set it so the user itself can not change the password (highly recommended for service accoutns IMO).
Individual user account settings overrides domain and group policies.
August 24, 2007 at 8:06 am
Anders,
Our sysadmin is saying that the group policy over-rides everything including individual flags on accounts. Would you happen to know where I could find documentation to support what you are saying?
I just found documentation that says you can set group policy on a OU basis but the sysadmin is saying that the password policy is slightly different because it can only be set on the domain level. I haven't found anything yet to discount this.
Thanks,
John
August 24, 2007 at 8:11 am
On this website: http://www.specopssoft.com/products/specopspasswordpolicy/ they state the following:
" A severe disadvantage with the built in password policy is that there can only be one policy per domain affecting all the user accounts." The website if for a 3rd party tool to AD that allows multiple password policies set per OU or whatever AD object you want. So it looks like our sysadmin was correct in his statements.
That said, does anyone have any scripts that allows you to update the account information on a service?
John
August 24, 2007 at 8:23 am
The suggestion above to set the expiration at the account level in AD will suffice.
Although.. According to MS, SQL 2005 does not need to be restarted to change the service account PW. So you got that going for you.
August 24, 2007 at 10:36 am
This doesn't seem to be true when dealing with the default domain policy. I tried disabling it on the OU but it still prompted me for the complexity policy when I tried setting a password to "s". I will post this AD question on a MS forum.
MOst of our servers are SQL 2005 so we do have that going for us. I think we only have 2 or 3 SQL 2000 boxes left.
I would still like to hear how other companies handle SQL Service accounts. Do you change them every 120 days or a certain time period? IF so, is this an automated process or manual?
THanks,
JOhn
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply