Quick thought on “Password Never Expires”
Last week my colleague asked me if there was any official documentation or reference from Microsoft recommending setting “Password Never Expires” for SharePoint farm account. No Microsoft never provided such a recommendation. I then immediately responded to him as to why we needed that policy. Should we set Password Never Expires policy for SharePoint farm account or critical service account?
There are a couple of reasons why people tendentiously do that:
- If the farm account gets expired, SharePoint timer service is stopped. All SharePoint Timer Job can’t function that make your SharePoint become broken. Central Administration web application isn’t accessible.
- If the account that runs the web application pool of the corporate web application (e.g. intranet portal) gets expired, your end-user can’t access to the intranet portal.
To mitigate that failure, Password Never Expires policy is often set.
However, if your company has password management policy, Password Never Expires is forbidden. If this policy is required, you would probably have to deal with SharePoint failure. Here are a few solutions if Password Never Expires policy doesn’t exist in your SharePoint environment:
- Configure friendly error message on IIS (HTTP error)
- Establish Incident Management procedure
- Register all Password Never Policy enabled accounts in the Managed Account list and use Automatic Password Change.