Change of network admin password

Voltage · 4 Oct 2010 at 09:22

We have an employee with high level access leaving us on Friday and i will need to change the network admin password because of this.

We are running a Windows domain using AD and Exchange 2007.

What services will need manually updating to take into account this change of network password?

I know from previous experience that changing the domain admin password is not a completely straightforward task.

Will Gill · 4 Oct 2010 at 10:33

not my words but sound good enough

"You're going to have to take a look at any services that you might have configured to run with the Administrator account -- some folks use the Admin account for that rather than creating service accounts. Don't know whether your previous IT guy did that or not -- but you'll want to check. And along those same lines, REMEMBER that the Admin password has changed. Sometimes when changing the account, a computer might not be restarted for several days or weeks down the road and when it does, some of the services may not start when it comes back up and you'll have no idea why."

also check scheduled tasks and services that might have been created using the account coz they will fail too

when we did this, it was a ball ache stupidly we created our blackberry enterprise server using the domain admin account and it fell over for hours whilst we sorted out jizzy access rights, good luck

Toughnoodle · 4 Oct 2010 at 10:51

Also if you're using Backup Exec it's a shortcut to use the admin account rather than create a new account just for backups.

Sp00n · 4 Oct 2010 at 11:31

Will Gill said:
when we did this, it was a ball ache stupidly we created our blackberry enterprise server using the domain admin account and it fell over for hours whilst we sorted out jizzy access rights, good luck

RTFM

J.B · 4 Oct 2010 at 17:30

Yeah...letting any service run as the domain admin account is never a good idea.

If you've followed all the instructions and good practise guides you shouldnt have any services running as the admin...in the real world though I hope you have good memory/documentation otherwise might be best to change the password out of business hours or warn the users that things may go wrong!

Sp00n said:
RTFM

lol, true. I dont know how many times in the deployment guide it mentions BESadmin but it's a lot!

a1ex2001 · 6 Oct 2010 at 15:07

Sounds like you have the standard IT environment for a UK business where nobody follows best practice and nobody documents anything.

Write a list of all you business critical applications and then go check them.

Make the change out of hours something will almost certainly not work afterwards

Ensure when making the change you have the right support guys on call and access the third parties if necessary

DOCUMENT EVERYTHING YOU DO CHANGE FOR FUTURE REFFERENCE

Run a project to migrate everything you can to use dedicated service accounts

NEVER EVER LET PEOPLE INSTALL STUFF USING THE DOMAIN ADMIN ACCOUNT (Best way to stop this is don't tell anyone the password as nobody should need it)

Felix · 6 Oct 2010 at 22:44

Get ready for the account being locked out as services use the old password over and over. In other words, leave AD open some where for you to unlock it!

ruskie · 7 Oct 2010 at 22:57

Some best practices to follow is to rename the Administrator account to something else. Create a new administrator account with just Domain User privileges. When creating service accounts, restrict their logon to the servers that need to run under the service. You can do this via ADUC tool->Account->Log On To.

s0ck · 9 Oct 2010 at 10:40

Open services.msc, sort by 'Automatic' and check everything that's running as <account name>.
Backup and AV are usually the ones that slip the net.

MasterPlan1 · 11 Oct 2010 at 10:34

Command line tools, and Excel!

What you'll need:
http://gnuwin32.sourceforge.net/packages/grep.htm
http://technet.microsoft.com/en-us/library/cc772785(WS.10).aspx
http://technet.microsoft.com/en-us/sysinternals/bb897542.aspx

Write up a list of all the servers in excel, then use =CONCATENATE("psservice \\",A1," | grep DOMAIN\Administrator >> C:\",A1,"_services.txt") and the same for schtask but using the command of schtask list /s ",A1," /fo list | grep DOMAIN\Administrator >> c:\",A1,"_tasks.txt

This'll run it, and it'll do a list of all services\scheduled tasks for the listed usernames, then you know what to change. Just to note, grepping won't give you all the information you'll need in the output, but will let you know of a server which contains a task or service running as administrator, then drill that down further by actually looking at that server, you can also get smart with it too and use the following tools mentioned above to change the credentials of the services\tasks.

If this is a little bit rambley, it's because I've had very minimal sleep and had 2 trains cancelled on me this morning, but yeah... The above will sort you right out.