Change Domain admin password

there won't be a $250 call to MS

change the password and stuff will break.

all you'll be doing is going round machines after the stuff has broken and resetting locally cached credentials for service logons and such that are starting as domain admin.

and this will happen every time you change the password.

which is why it's best to create some specific service accounts, and don't change the password on these machines, and restrict what they can log on to.

then you can change the admin password as much as you like.

but the first time you change it will be the worst. no matter how much prep work you put in, it's almost guaranteed that there will be something some where that has the old password cached, and you'll only find it after it breaks.

putting in work changing the whole account to a dedicated account for logging on services spares a lot of running around afterwards, but on a network that you inherit, you;re probably never going to know every little thing where something for some reason it authenticating as administrator.
 
When you say going around to machines and resetting locally cached creditials for service logons do you mean just my servers? Not workstations right?
The new users I create to use, Webuser and SQL user, do they need to have full domain admin rights?

Will
 
I mean wherever things are set.

Basically, it's the law of the sod, at some point somewhere something will have broken, a service fail to start or something like that. and someone will have just changed the account the service starts as to be administrator, it happens all the time...

the administrator password could be on anything anywhere, it might not even have been put on as a quick fix, when installing something the previous guy may have logged on as administrator and just been really happy to have clicked next loads, might not have even seen a screen where it says start service as user: "current user" <- which of course at that time was the administrator...

here's what you should do. (this is part good advice, part terrible advice!)

create some service accounts like I said earlier.
make sure that all your servers are going to work when the password is changed by changing the service logons to service accounts rather than administrator...

once you're sure that your server estate is going to be cool post password change then change the admin password.

the next day either everything will be OK, or it won't...

then you have the choice to either go round a handful of workstations fixing the occasional problem, or if everything is completely broken, then you could just change the password back and then go round and figure out what the problems were.

What I would say is this is one of those best practice things, you SHOULD be changing the administrator password regularly. some people eve recommend setting up a second admin account and disabling the administrator account... if it's not been changed for years, or indeed never been changed, then the first change will be painful. but fix the problems, after that change the password, write the password down and lock it in a safe. create a second admin account and never use the first one...
or change the password, keep using the account, but change it once a month or so.
 
Root,
So there will be some workstations that break and I will need to reset a password on?
By the way what will happen on the workstation that "breaks"? Will I get a window asking for a password? Then I put the new admin password in?
Webuser & SQL user, do they need to have Domain Admin rights?
Will
 
I didn't say that there WILL be I said that there MAY be...

The point is this, you're new to the job, and the guy that was there before you has already gone. you don't know him so you've got to assume he wass an idiot and plan for the worst.

the worst situation would be that there were various services starting up all over the place as admin. drives being mapped as admin.


so you need to as far as possible find and change all those service accounts on the servers that you look after.
workstations are often impractical to search like that for problems, which is why I say that in the end you're going to have to change the password and see what breaks or who shouts and then deal with it case by case.


As I said before, if you suddenly find that something critical breaks, and you don't have the time to fix it, you can always change the password back.
 
You must log in or register to reply here.

Similar threads

M
Routing and hosting via cloudflare and 2 other providers to home web server...
Replies
0
Views
734
mke-home
M
D
"could not parse error", what should i do?
Replies
1
Views
1K
petergroft29
P
M
Management Systems for Administrative and Analysis Tasks?
Replies
2
Views
1K
marwa
M
B
turn off logon password in windows 10
Replies
4
Views
2K
mizzchic
mizzchic
S
Understanding LM and things to do after installation of 19.3 .
Replies
0
Views
1K
Spud1200
S
Back
Top Bottom