GlobalFax
asked on
Windows 2000 local administrator password
In a Windows 2000 Active Directory environment, are there any documentation that you would not want to have the local administrator user to change password every set number of days, i.e. 30 days. In our environment there we have over 145 W2K servers spread out in different sites, changing passwords would be a pain. Please provide experiences and or point me to links referencing such. Also, would it be possible to push local administrator password changes to all servers at once, perhaps in a Group Policy or something like that, thanks!
ASKER
Not prevent someone from changing. We currently do not change local administrator passwords, and security team wants to know reasons not to implement change policies for local Administrator.
My concern is that we have various services running on servers that use the local administrator user ID, would changing passwords cause any problems to those services. If not, changing 145 administrator passwords every 30 days can be hectic in remembering the passwords if and whenever we need to use it.
My concern is that we have various services running on servers that use the local administrator user ID, would changing passwords cause any problems to those services. If not, changing 145 administrator passwords every 30 days can be hectic in remembering the passwords if and whenever we need to use it.
global, i'm sorry that i'm still not entirely certain what you're asking.
but i think you want to know why changing the local admin password is a bad idea, right?
one thing i do understand clearly though, is the part about services running under the local admin account. to answer that, yes it is possible that the application using the local admin account could be affected if the password changes. since you enter the password when you configure the program, that is the password it will use when it runs. clearly, if the password changes, you're going to run into problems.
this is probably the biggest drawback to changing the local admin password.
and as you've stated, going to 145 machines and changing the password for the local admin account would be quite time consuming.
as i said, though, i believe it's possible to change the local admin passwords by using a login script and tying it to a group policy. there are no builtin group policy settings for changing local admin passwords.
so this, too, would be cumbersome.
is that what you were asking?
but i think you want to know why changing the local admin password is a bad idea, right?
one thing i do understand clearly though, is the part about services running under the local admin account. to answer that, yes it is possible that the application using the local admin account could be affected if the password changes. since you enter the password when you configure the program, that is the password it will use when it runs. clearly, if the password changes, you're going to run into problems.
this is probably the biggest drawback to changing the local admin password.
and as you've stated, going to 145 machines and changing the password for the local admin account would be quite time consuming.
as i said, though, i believe it's possible to change the local admin passwords by using a login script and tying it to a group policy. there are no builtin group policy settings for changing local admin passwords.
so this, too, would be cumbersome.
is that what you were asking?
there are security related advantages to changing the local admin passwords regularly, of course, though.
just wanted to add that.
-nm
just wanted to add that.
-nm
ASKER
Understood on the last comment about advantanges. That is basically what I am looking for Pros/Cons (Advantages/Disadvantages)
Cusrmgr.exe is a tool in the resource kit that you could use to change the passwords remotely.. However, I agree that cganging this every 30 days is going to cause problems. If the passwords follow stringent guidelines and are more than ten characters long, involve alpha and non-alphnumeric characters and are changed whenevr someone leaves employment or changes positions I do not see a good argument for changing them that frequently. Your going to cause problesm for systems running Exchange, SQL and any other app that was setup to use the Admin account. Who is going to cover the cost of the added overhead of your department having to take on this task along with the rest of what's on your plate?
I haven't been able to find any white papers yet, but I did find this, which makes the process easier, and negates, somewhat, what I said earlier about the intensiveness of changing the local admin password on multiple machines.
Have a look:
http://support.microsoft.com/default.aspx?scid=kb;en-us;272530
I'm going to use it myself!
-nm
Have a look:
http://support.microsoft.com/default.aspx?scid=kb;en-us;272530
I'm going to use it myself!
-nm
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
wow, msgeek beat me by less than 2 minutes on that last one.
=^)
=^)
:)
ASKER
Good feedback, are there anymore.
Second question, how can I split the points for you guys?
Second question, how can I split the points for you guys?
you can post a 0 point question in the community support forum that includes the request to split the points for us, and a link to this question.
A request to split has been made at: https://www.experts-exchange.com/questions/20545453/Neet-to-split-points-to-to-contributors.html
50%/50% to "Night Monkey" and "MSGeek"
I have reduced the original point value to half (62), removed 1 point from your account. Now you can select one expert's answer. Then create a new "points for expertname re 20545320" (replace expertname with the other expert's name). Make sure you create the new question in the same area as this question: https://www.experts-exchange.com/Security/Win_Security/
Once this is done, copy the URL for the new question, return here to post it so the other expert gets an email notification and can find the question.
If you need help with this or if all experts do not receive their points, somebody please let me know by posting here.
Thanks.
SpideyMod
Community Support Moderator @Experts Exchange
50%/50% to "Night Monkey" and "MSGeek"
I have reduced the original point value to half (62), removed 1 point from your account. Now you can select one expert's answer. Then create a new "points for expertname re 20545320" (replace expertname with the other expert's name). Make sure you create the new question in the same area as this question: https://www.experts-exchange.com/Security/Win_Security/
Once this is done, copy the URL for the new question, return here to post it so the other expert gets an email notification and can find the question.
If you need help with this or if all experts do not receive their points, somebody please let me know by posting here.
Thanks.
SpideyMod
Community Support Moderator @Experts Exchange
ASKER
Thanks for the link!
ASKER
https://www.experts-exchange.com/questions/20545636/points-for-MSGeek-re-20545320.html
MSGeek see link above to get your points!
MSGeek see link above to get your points!
Thanks, glad I could help!
the second part of your question is a little more clear.
you can push password changes to local accounts, but it would require the use of a script, i believe.
before we go any further, is this what you want to do? and can you clarify the first part of your question?