svariell Posted July 19, 2016 Report post Posted July 19, 2016 I have a quick question, from an auditing standpoint on the creation of the following accounts that we create for SCCM. Network access account Client install account Domain join account SQL service account for SQL Server & SQL Server Agent services SQL reporting user for SQL Server Reporting Service SCCM admin account I know that the first 5 are to be non-interactive, but my question lies is there documentation out there that states whether the first 5 accounts above that the password is to be set to never change or should it be changed on a 30, 60, or 90 day basis? Also, what about the SCCM admin account, should that password be changed every 30, 60, or 90 days? Thanks in advance for the response. Quote Share this post Link to post Share on other sites More sharing options...
Apexes Posted July 19, 2016 Report post Posted July 19, 2016 It's down to your security team's guidelines i guess. I use service accounts that don't expire passwords on any. The only ones that change are user accounts used to access servers/console. Quote Share this post Link to post Share on other sites More sharing options...
tregelen Posted July 20, 2016 Report post Posted July 20, 2016 I have them never changing the password if they are service accounts otherwise you run the risk of forgetting to change the password in your console and having your deployments break. I keep track of them in KeePass and have that create a random password. Quote Share this post Link to post Share on other sites More sharing options...
GarthMJ Posted July 20, 2016 Report post Posted July 20, 2016 I have a quick question, from an auditing standpoint on the creation of the following accounts that we create for SCCM. Network access account Client install account Domain join account SQL service account for SQL Server & SQL Server Agent services SQL reporting user for SQL Server Reporting Service SCCM admin account I know that the first 5 are to be non-interactive, but my question lies is there documentation out there that states whether the first 5 accounts above that the password is to be set to never change or should it be changed on a 30, 60, or 90 day basis? Also, what about the SCCM admin account, should that password be changed every 30, 60, or 90 days? Thanks in advance for the response. There is not such docs as to when or how often you should or should not change the PW. HOWEVER if you change the NAA account your will likely lock it out for several hours or days. As such you should create two NAA accounts and change the PWs at different intervals. Also don't forget that if you change any of the SQL account that your MUST create the SPN record too. What do you mean by the CM Admin account? Exactly which account are you talking about? Quote Share this post Link to post Share on other sites More sharing options...
