No announcement yet.

Thoughts on resetting Domain Admin password

  • Filter
  • Time
  • Show
Clear All
new posts

  • Thoughts on resetting Domain Admin password

    I am looking to reset the domain admin password in a new environment and looking from some help/ideas on what everyone thinks is the best way to go.

    So far I am thinking of doing

    1. Find all services, scheduled tasks, applications that use domain admin
    2. Create new service accounts for them and assign them accordingly
    3. Verify the new account work correctly
    4. Monitor event logs for logon failures for anything that was missed
    5. Reset Domain Admin password

    This is obviously just a quick overview but has anyone got any thoughts on it ?

  • #2
    Re: Thoughts on resetting Domain Admin password

    Sounds good to me
    Main issue is finding all the accounts!
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: Thoughts on resetting Domain Admin password

      Thanks for the quick reply Ossian

      Just need to find a decent script now for the donkey work!


      • #4
        Re: Thoughts on resetting Domain Admin password

        Originally posted by brian873 View Post
        I am looking to reset the domain admin password in a new environment and looking from some help/ideas on what everyone thinks is the best way to go.
        Step #2. should be: Give a sharp kick to whoever a moron used a domain admin account for running services. After that, check that there are no scheduled jobs that are set to be run with the same user account. If you find some, hand out liberal ass-kicking again. Then change the job accounts too.

        There might be persistent share mappings, maybe even
        net use z: \\some\share$ /u:domainUser password
        in scripts.

        While you are changing the password, consider changing the account for a task sceduling accounts that have just enough permissions to whatever the job is doing. Avoid all-purpose accounts like "backupjob", as those are eventually used in all kind of hack jobs - which makes password reset a pain.

        Oh, and make sure you know the old password and have another a domain admin account. In case the account-to-reset is locked out by some service or job, you can still log on to the domain and fix things.

        Last edited by vonPryz; 10th January 2011, 17:20.


        • #5
          Re: Thoughts on resetting Domain Admin password

          Thanks vonPryz...

          Unfortunately the person is away so no ass kicking to hand out!

          good point about the backup admin accounts....I think there is one there in my case. And I will check the shares but I think they are ok too


          • #6
            Re: Thoughts on resetting Domain Admin password

            We'll be doing this very soon.

            I've got a script that searches all servers in a txt file for all services and outputs the relevant user account it runs under.

            Option Explicit
            'Declare the required variables
            Dim objWMIService, objFSO, objFile, objShell, objItem, colItems
            Dim arrData, strDataIn, iCounter
            'Read file into a variable
            strDataIn = fsoOpen(".\serverlist.txt")
            'Split into an Array
            arrData = Split(strDataIn,vbCrLf)
            For iCounter = 0 To Ubound(arrData)
            	arrData(iCounter) = Trim(arrData(iCounter)) ' clean "white space"
            	'Ping the server required. If not online then write offline in file.
            	'If the server is online run through the services and list them.
            	if Ping(arrData(iCounter)) = True Then
            		'Loop through the services and collect the Service Name and the Start Name
            		Set objWMIService = GetObject("winmgmts:\\" & arrData(iCounter) & "\root\CIMV2") 
            		Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_Service",,48)
            		'Create the text file that will hold the service information required
            		Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
            		Set objFile = objFSO.CreateTextFile(".\Results\" & UCase(arrData(iCounter)) & ".txt", True)
            		'Get the services from the specified machine in arrData(iCounter) 
            		For Each objItem in colItems
            			objFile.WriteLine objItem.DisplayName & "|" & objItem.Name & "|" & objItem.StartName
                	'Write a title
            		objFile.WriteLine "---------------------------------------------------------"
            		objFile.WriteLine UCase(arrData(iCounter)) & " Running Services and logon accounts"
            		objFile.WriteLine "---------------------------------------------------------" 
            		objFile.WriteLine "Server is currently offline"
            	end If
            Set objWMIService = Nothing
            Set colItems = Nothing
            Set objFSO = Nothing
            Set objShell = Nothing
            MsgBox "The script has finished running. Please check the txt files that have been created."
            '* Function fsoOpen(FilePath)
            Function fsoOpen(FilePath)
             Dim FSO
             Set FSO = CreateObject("Scripting.FileSystemObject")
              fsoOpen = FSO.OpenTextFile(FilePath,1).ReadAll
            End Function
            '* Function Ping(StrComp)
            Function Ping(StrComp)
                Dim objPing, objRetStatus
                Set objPing = GetObject("winmgmts:{impersonationLevel=impersonate}").ExecQuery("select * from Win32_PingStatus where address = '" & StrComp	& "'")
                For each objRetStatus in objPing
                    If IsNull(objRetStatus.StatusCode) or objRetStatus.StatusCode<>0 then
                		Ping = False
                        Ping = True
                    End If
            End Function
            You will need a file called serverlist.txt and a folder called results.

            I'd love to credit where i got all the bits and pieces from but i can't remember it was that long ago and i used a book as well.

            Hope it helps


            • #7
              Re: Thoughts on resetting Domain Admin password

              Thanks wullieb1 looks good

              I found this script that looks up scheduled tasks as well, which may be helpful...I've not tested it yet though...