Go Back   Computer Forums > General Computing > Server Administration
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 09-24-2010, 06:04 PM   #1
Solid State Member
 
Join Date: Sep 2010
Posts: 10
Default Change Domain admin password

I would like to change my Domain admin password, it was setup long before I took over this position and is a pretty simple password. My concern is everything that uses that login, services ect not working afterwards.
Being the same password for all my servers I don't want to change it and then suddenly be locked out of something or things suddenly stop working. So I need to change it but concerned about this happening.
Here is what I have:
2 Server 2003 file servers ( Both are AD, file, and print servers ) 1 per physical location
1 server 2000 file server
1 server 2003 mail server ( IBM Domino )
All on a Domain
Active Directory
Multiple folders, printers shared.

Any advice would be great.
Thanks,
Will
__________________

__________________
Berwill is offline   Reply With Quote
Old 09-24-2010, 10:08 PM   #2
In Runtime
 
thompatry's Avatar
 
Join Date: Feb 2010
Posts: 145
Default Re: Change Domain admin password

What are your chances of upgrading to Server 2008 R2?
__________________

__________________
thompatry is offline   Reply With Quote
Old 09-25-2010, 03:12 PM   #3
Solid State Member
 
Join Date: Sep 2010
Posts: 10
Default Re: Change Domain admin password

No chance. These are older servers and adequate for what they are doing, I would replace them before upgrading the OS.
How would that matter?
Will
__________________
Berwill is offline   Reply With Quote
Old 09-27-2010, 12:56 PM   #4
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 8,107
Default Re: Change Domain admin password

best advice.

go back and do it all again properly.

setup some accounts for use by the services and then go around and change the logon accounts for the services in the control panel.

one you've stopped the use of the administrator password over the domain then you should be able to change it.
__________________
I didn’t fight my way to the top of the food chain to be a vegetarian…
Im sick of people saying 'dont waste paper'. If trees wanted to live, they'd all carry guns.
"The inherent vice of capitalism is the unequal sharing of blessings; The inherent vice of socialism is the equal sharing of miseries."
root is offline   Reply With Quote
Old 09-27-2010, 06:10 PM   #5
Solid State Member
 
Join Date: Sep 2010
Posts: 10
Default Re: Change Domain admin password

I am afraid I am not following.
setup some accounts for use by the services? change the logon accounts for the services?
So I take it I could not just reset the password on Domain Admin, that would cause a problem?
Will
__________________
Berwill is offline   Reply With Quote
Old 09-28-2010, 04:36 AM   #6
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 8,107
Default Re: Change Domain admin password

ok...

you've got a domain admin password,
and you've got services say a web server and a SQL server on machines that start authenticated as that domain admin.

what you need to do is create a new user in your Active directory domain called WebUser and one called SQLUser

then you need to look at the services in the advanced control panel and change the account to start up as these services to one of the users that you have just added, once you've made sure that there is nothing critical starting as the domain admin, then you can change the domain admin password.
__________________
I didn’t fight my way to the top of the food chain to be a vegetarian…
Im sick of people saying 'dont waste paper'. If trees wanted to live, they'd all carry guns.
"The inherent vice of capitalism is the unequal sharing of blessings; The inherent vice of socialism is the equal sharing of miseries."
root is offline   Reply With Quote
Old 09-28-2010, 07:47 AM   #7
Fully Optimized
 
jmacavali's Avatar
 
Join Date: Jun 2009
Posts: 4,867
Default Re: Change Domain admin password

^This.

Your domain admin account shouldn't be used to run services.
__________________
****************************************
Don't take life too seriously -- no one gets out alive. Plus, who wants to arrive to the hereafter in pristine condition wearing a suit and tie?
I want to slide in sideways, worn out, used up, hair a mess, clothes tattered, & screaming, "Whooo! What a ride!"
****************************************
jmacavali is offline   Reply With Quote
Old 09-28-2010, 12:47 PM   #8
Solid State Member
 
Join Date: Sep 2010
Posts: 10
Default Re: Change Domain admin password

Root,
I thought this might help make it clearer, this is what I found for the processes.
If I created a new user like Webuser and used that in the processes would they need to have the same rights as the Domain Admin?
Instead of setting up a new user and changing the process to that user could I just reset the Domain Admin password and then reset the passwords in the processes?

Mine say Log on as:
Local system account

Or:
This account - NT Authority\Localservice ( And a password )
NT Authority\Networkservice
.\Administrator
berwin(Domain name)\Administrator

Thanks,
Will
__________________
Berwill is offline   Reply With Quote
Old 09-29-2010, 11:56 AM   #9
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 8,107
Default Re: Change Domain admin password

sure, you can change your administrators account password.

wait for stuff to break and then go round resetting the password for the services on all the boxes that have processes starting as administrator, all scheduled tasks starting as administrator etc...

fundamentally though, for really good security you should be changing your administrator password on a regular basis.

do you really want to be changing the password for service logins every time you change your admin password?
__________________
I didn’t fight my way to the top of the food chain to be a vegetarian…
Im sick of people saying 'dont waste paper'. If trees wanted to live, they'd all carry guns.
"The inherent vice of capitalism is the unequal sharing of blessings; The inherent vice of socialism is the equal sharing of miseries."
root is offline   Reply With Quote
Old 09-29-2010, 06:56 PM   #10
Solid State Member
 
Join Date: Sep 2010
Posts: 10
Default Re: Change Domain admin password

Ok, in trying to get this straight I think I made it worse.
I do want to change it regularly, being this is the first time I have done this I want to minimize the risk as much as possible so that if I change it and missed something I don't have to make a $250 call to Microsoft to get things working again.
I am going to have to read through the posts and try to sort it out, I really don't want it to come to a "leap of faith".
I appreciate everyone's input though.

Will
__________________
Berwill is offline   Reply With Quote
Old 09-30-2010, 12:27 PM   #11
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 8,107
Default Re: Change Domain admin password

there won't be a $250 call to MS

change the password and stuff will break.

all you'll be doing is going round machines after the stuff has broken and resetting locally cached credentials for service logons and such that are starting as domain admin.

and this will happen every time you change the password.

which is why it's best to create some specific service accounts, and don't change the password on these machines, and restrict what they can log on to.

then you can change the admin password as much as you like.

but the first time you change it will be the worst. no matter how much prep work you put in, it's almost guaranteed that there will be something some where that has the old password cached, and you'll only find it after it breaks.

putting in work changing the whole account to a dedicated account for logging on services spares a lot of running around afterwards, but on a network that you inherit, you;re probably never going to know every little thing where something for some reason it authenticating as administrator.
__________________
I didn’t fight my way to the top of the food chain to be a vegetarian…
Im sick of people saying 'dont waste paper'. If trees wanted to live, they'd all carry guns.
"The inherent vice of capitalism is the unequal sharing of blessings; The inherent vice of socialism is the equal sharing of miseries."
root is offline   Reply With Quote
Old 10-01-2010, 06:00 PM   #12
Solid State Member
 
Join Date: Sep 2010
Posts: 10
Default Re: Change Domain admin password

When you say going around to machines and resetting locally cached creditials for service logons do you mean just my servers? Not workstations right?
The new users I create to use, Webuser and SQL user, do they need to have full domain admin rights?

Will
__________________
Berwill is offline   Reply With Quote
Old 10-05-2010, 09:41 AM   #13
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 8,107
Default Re: Change Domain admin password

I mean wherever things are set.

Basically, it's the law of the sod, at some point somewhere something will have broken, a service fail to start or something like that. and someone will have just changed the account the service starts as to be administrator, it happens all the time...

the administrator password could be on anything anywhere, it might not even have been put on as a quick fix, when installing something the previous guy may have logged on as administrator and just been really happy to have clicked next loads, might not have even seen a screen where it says start service as user: "current user" <- which of course at that time was the administrator...

here's what you should do. (this is part good advice, part terrible advice!)

create some service accounts like I said earlier.
make sure that all your servers are going to work when the password is changed by changing the service logons to service accounts rather than administrator...

once you're sure that your server estate is going to be cool post password change then change the admin password.

the next day either everything will be OK, or it won't...

then you have the choice to either go round a handful of workstations fixing the occasional problem, or if everything is completely broken, then you could just change the password back and then go round and figure out what the problems were.

What I would say is this is one of those best practice things, you SHOULD be changing the administrator password regularly. some people eve recommend setting up a second admin account and disabling the administrator account... if it's not been changed for years, or indeed never been changed, then the first change will be painful. but fix the problems, after that change the password, write the password down and lock it in a safe. create a second admin account and never use the first one...
or change the password, keep using the account, but change it once a month or so.
__________________
I didn’t fight my way to the top of the food chain to be a vegetarian…
Im sick of people saying 'dont waste paper'. If trees wanted to live, they'd all carry guns.
"The inherent vice of capitalism is the unequal sharing of blessings; The inherent vice of socialism is the equal sharing of miseries."
root is offline   Reply With Quote
Old 10-07-2010, 09:19 AM   #14
Solid State Member
 
Join Date: Sep 2010
Posts: 10
Default Re: Change Domain admin password

Root,
So there will be some workstations that break and I will need to reset a password on?
By the way what will happen on the workstation that "breaks"? Will I get a window asking for a password? Then I put the new admin password in?
Webuser & SQL user, do they need to have Domain Admin rights?
Will
__________________
Berwill is offline   Reply With Quote
Old 10-07-2010, 09:39 AM   #15
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 8,107
Default Re: Change Domain admin password

I didn't say that there WILL be I said that there MAY be...

The point is this, you're new to the job, and the guy that was there before you has already gone. you don't know him so you've got to assume he wass an idiot and plan for the worst.

the worst situation would be that there were various services starting up all over the place as admin. drives being mapped as admin.


so you need to as far as possible find and change all those service accounts on the servers that you look after.
workstations are often impractical to search like that for problems, which is why I say that in the end you're going to have to change the password and see what breaks or who shouts and then deal with it case by case.


As I said before, if you suddenly find that something critical breaks, and you don't have the time to fix it, you can always change the password back.
__________________

__________________
I didn’t fight my way to the top of the food chain to be a vegetarian…
Im sick of people saying 'dont waste paper'. If trees wanted to live, they'd all carry guns.
"The inherent vice of capitalism is the unequal sharing of blessings; The inherent vice of socialism is the equal sharing of miseries."
root is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 02:11 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0
×