Our domain has been promoted from NT4 to 2003, 2008 R2 and 2012R2, and we now have a DC at 2016.
Someone, before I got here, disabled the Administrator account and renamed it, which is kind of silly, but I've never felt the need to rename it back to Administrator. There are 4 DA accounts, one for each member of my team, they are separate from our non-privileged user, workstation administration and our server administrator accounts. Our DA passwords are covered by the same FGPP as our user accounts, requiring complexity, 16+ characters, change every 365 days. I'd like to set the elevated privilege account password expirations shorter, but I'd get a lot of pushback from the team, so I can't get away with it. I agree with MBS that if the Administrator account hasn't been disabled it should have a max length password that is kept securely Service accounts are not DAs - they get whatever privileges are necessary, and only that. We use a product from Thycotic which, in an edition that's more featureful/expensive than what we have, can manage services accounts and change the passwords for you. There are similar offerings from other companies. Also, Active Directory has MSAs (Managed Service Accounts) and GMSAs, (Group Managed Service Accounts) which you should investigate - but I haven't had a chance to implement them, so can't comment much further. Kurt On Wed, Jan 17, 2018 at 9:00 AM, David McSpadden <dav...@imcu.com> wrote: > I know we have LAPS for local admins. > > What is everyone doing for domain admin account passwords management and > compliance? > > We are being asked to change passwords every 90 days and most of the > domain admins are service accounts? > > So…what does everyone else do to automate/management this? > > > > > > *David McSpadden* > > Systems Administrator > > Indiana Members Credit Union > > P: 317.554.8190 <(317)%20554-8190>| F: 317.554.8106 <(317)%20554-8106> > > [image: Description: imcu email icon] <http://imcu.com/> [image: > Description: facebook email icon] > <https://www.facebook.com/IndianaMembersCU> [image: Description: twitter > email icon] <https://twitter.com/IndMembersCU> > > [image: Description: email logo] > > [image: Image result for mcp logo] > <https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwirvOT_m8fTAhVM1xoKHVbUA2kQjRwIBw&url=https://mssqlhub.wordpress.com/2013/09/23/pathway-for-microsoft-certification/&psig=AFQjCNHf-4M9Isb1398vr-wswZ04wRJObQ&ust=1493471205430002> > > > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited. > > Please consider the environment before printing this email. >
