Announcement

Collapse
No announcement yet.

changing domain administrator paswword

Collapse
This topic is closed.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • changing domain administrator paswword

    hello,

    I wanted to know which considerations i have to take in order to change administrator password.
    I'm asking because i know some services can depend on the administrator user.

    for example . the restore option in exchange. msql, maybe 3rd party softwares.
    and other software which depend on it , and which i used the account during their installation.

    thanks

  • #2
    Re: changing domain administrator paswword

    1. Ensure no services are using the administrator account. If there are any using this account then you should set-up a dedicated service account just for that application.

    2. Alot of people actually rename the administrator account to something different and then create a disabled administrator account to monitor for hacking attempts.

    You should be able to change the password after that.

    Anything I missed??

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: changing domain administrator paswword

      I just want to change the password beacuse my boss just fired one of the employees.

      I don't know how to ensure if some of the platforms such as exch and oracle , ets
      and other programs and maybe some equpments such as routers, switches, vpn hardware.
      use this user because i didn't install them.
      but this default user is the only admin user so i guess most of the programs use it.


      i don't want to fix up another user but just to change its password

      now what effect does it has on programs that relay on it.
      can they stop working. or is it only necessery to remember the password change
      in situation like restoring exchange.

      Comment


      • #4
        Re: changing domain administrator paswword

        I agree with Michael, all services should use their OWN account to run. The Administrator account should only be used for testing of services and administrator logins.

        Saves headaches later when you need to change the Administrator password and all of a sudden all your apps die.
        |
        +-- JDMils
        |
        +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
        |

        Comment


        • #5
          Re: changing domain administrator paswword

          Originally posted by kopal
          I just want to change the password beacuse my boss just fired one of the employees.

          I don't know how to ensure if some of the platforms such as exch and oracle , ets
          and other programs and maybe some equpments such as routers, switches, vpn hardware.
          use this user because i didn't install them.
          but this default user is the only admin user so i guess most of the programs use it.


          i don't want to fix up another user but just to change its password

          now what effect does it has on programs that relay on it.
          can they stop working. or is it only necessery to remember the password change
          in situation like restoring exchange.
          If you change the administrator password then all services (Excahnge, SQL, 3rd Party apps) that start up using that account will eventually fail.

          Best thing to do is to check the services on all you servers and look at what the "log on" account it set to. If any are set to administrator then I would suggest creating a specific account just for that service with the minimum privilages to start and run the service.

          Hope it helps

          Michael
          Michael Armstrong
          www.m80arm.co.uk
          MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

          Comment


          • #6
            Re: changing domain administrator paswword

            Check you're services.
            Create for each service (which is running on de Domain\Administrator account) his own Serviceaccount ig Sa_servicename

            Move the apps to the new serviceaccount
            Gernerally Switches, routers and so on, has it's own admin account, which is not related to the domain administrator

            Reset the admin account

            If you still want to use the administrator account for the service (i think is pretty stupid, but who am I ) Then reset the admin account and adjust every service who uses this account.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: changing domain administrator paswword

              thanks guys,

              I prefer to tell my boss he can forget from changing the admin password
              I don't know all the 3rd party programs my clients use and i don't want to miss any of the services and cause damage.
              I didn't install the dc's so it's even harder

              Maybe you will think i'm wrong , but in those companies security isn't on their top priority.
              If my boss will insist on doing so, he will have to be responsible for the concequences.

              I have an idea , Is there a posablity to take the administrator role and make another user identical to it?

              that way i can have another admin, and i can prevent the administrator prom preforming logon


              ????

              thanks anyway

              Comment


              • #8
                Re: changing domain administrator paswword

                I have an idea , Is there a posablity to take the administrator role and make another user identical to it?

                that way i can have another admin, and i can prevent the administrator prom preforming logon
                You can do that, however that account will be setup as a standard user with the difference that it is assigned to the Administrators and Domain Admins groups. However, if a user tries to log on with that account, it WILL LOCK OUT, unlike the Administrator account, which will then stop all your services which are using it.

                Plus, some service accounts need to log into other machines, thus it needs to be able to login locally and across the domain. Way to hard to setup let alone to administer.

                Trust what you are being told: Create a new account for each service and the possiblity of those services stopping due to a password change on the Administrator account is non-existent. It's really easy to do!
                |
                +-- JDMils
                |
                +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
                |

                Comment


                • #9
                  Re: changing domain administrator paswword

                  Originally posted by Dumber
                  Check you're services.
                  Create for each service (which is running on de Domain\Administrator account) his own Serviceaccount ig Sa_servicename

                  Move the apps to the new serviceaccount
                  when you say services do you mean "services" on administrative tools???

                  can you send me a pic and circle the divider i need to look for(do you mean the log on divider?)

                  But what about all the programs which i know that during their installation i've been asked to enter an administrator account. where do i find lets say the
                  "exchange user" for restoring purposes in order to change it to a dedicatd account?
                  all those accounts ; Do you think i remember where and when i've used them.

                  If u say the only place i have to touch is the services, that's great
                  just tell me where to locate the users(in the local user list?, in the ad? in which container?)


                  thanks

                  Comment


                  • #10
                    Re: changing domain administrator paswword

                    When you open the Services MMC, you will see a column called "Log On As". Anything with "Administrator" should be changed. Double click the service which needs to change, say, "DHCP Server" and goto the Logon tab. Most services will be happy to logon as Local System Account, which is cool. Some you need to create a new account with admin rights and place the username and password of that account here in the This Account text boxes.

                    We use Sophos Antivirus Console to distribute the Sophos AV client to all workstations on the domain. In order for this to work, the Sophos Console needs to log onto each computer to load the client. I have created an admin user called SophosClientAdmin and given it admin rights. Now, when I change the Administrator account, which is every three months, Sophos continues to work as it should!
                    |
                    +-- JDMils
                    |
                    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
                    |

                    Comment


                    • #11
                      Re: changing domain administrator paswword

                      JDMils, your explanation was very constructive,

                      You the best!

                      Comment


                      • #12
                        Re: changing domain administrator paswword

                        You doesn't know what services are?
                        Marcel
                        Technical Consultant
                        Netherlands
                        http://www.phetios.com
                        http://blog.nessus.nl

                        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                        "No matter how secure, there is always the human factor."

                        "Enjoy life today, tomorrow may never come."
                        "If you're going through hell, keep going. ~Winston Churchill"

                        Comment


                        • #13
                          Re: changing domain administrator paswword

                          of course i know,

                          I thought maybe you meant processes as "services"

                          In free transelation to hebrew it sometimes can be the same.

                          Comment


                          • #14
                            Re: changing domain administrator paswword

                            Aloha....

                            Do I need to worry about services that run on Local System and Network Service?

                            Comment


                            • #15
                              Re: changing domain administrator paswword

                              nope and please do not kick an old topic.
                              Please create you're own one.
                              Marcel
                              Technical Consultant
                              Netherlands
                              http://www.phetios.com
                              http://blog.nessus.nl

                              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                              "No matter how secure, there is always the human factor."

                              "Enjoy life today, tomorrow may never come."
                              "If you're going through hell, keep going. ~Winston Churchill"

                              Comment

                              Working...
                              X