This is the clarification request I received form our dear friend Mr. Moustafa Arafa.
Dear Ali
 regarding your article "Typical deployment scenario", you have mentioned that we will create a domain account to be used by the application poll for our web application, but the question here is : most of companies, they have policies to renew the password for all AD accounts maybe within 2 months max..... should I have to go to the IIS again and re-type the new password every renewal process from AD ?

Dear Moustafa
 The answer is NO. When you create a domain account or even a windows account you have a checkbox as Password never expires that once checked it overrides the group policy for password change. So let's say regardless of group security policy settings, a typical account assigned to an application pool or even a service account MUST be configured as follows:

- Make sure you put a Description that tells the network administrators that this is a service account or an application pool account so they do not delete it by mistake.
- User must change password at next login MUST be unchecked. Simply because an application pool cannot reset it's password. I just mention it because it if the default network administrators mentality that the user must reset his/her password at first login and usually as a developer you do not create user. If this option is not checked you web application stops working when the password expires and when you reset the password in this case you have to reset in for the application pool again.
- Password never expires should be checked to override the group policy for changing the password after a certain duration.
This setting is good enough for an application pool account, but if you want to use an active directory account for a service you still need some more settings that I will cover it in my next post.
Cheers
Alireza