Don’t look now, but your inquisitive security auditor is back.  They are satisfied with your answer to XenDesktop Service Privileges. But they want to know more about the initial password for that Citrix-specific local account.  Exactly what do we mean by “a strong password, compatible with all Group Policy settings for password policy.”?

The initial password is generated as follows:

  • The password is 14 characters long.  That satisfies Group Policy for Minimum password length, because the maximum possible value is 14.
  • The password is generated to match the Group Policy criteria for Password must meet complexity requirements.
  • The password is random.

This applies to all the service accounts created during XenDesktop installation.

The security auditor tries again.  What about the other Group Policy settings for Password Policy: Enforce password history, Maximum password age, and Minimum password age?  The answer is that XenDesktop doesn’t change the password for service accounts.  It would be difficult to automate this password change and make it entirely robust (there’s nowhere to store the previous password).  So there are two solutions:

  • Set Password never expires for this account
  • Use a third-party security product designed to automate password change for administrative accounts.