?
Solved

Windows 2000 local administrator password

Posted on 2003-03-10
16
Medium Priority
?
241 Views
Last Modified: 2013-12-04
In a Windows 2000 Active Directory environment, are there any documentation that you would not want to have the local administrator user to change password every set number of days, i.e. 30 days.  In our environment there we have over 145 W2K servers spread out in different sites, changing passwords would be a pain.  Please provide experiences and or point me to links referencing such.  Also, would it be possible to push local administrator password changes to all servers at once, perhaps in a Group Policy or something like that, thanks!
0
Comment
Question by:GlobalFax
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
  • +1
16 Comments
 
LVL 6

Expert Comment

by:night_monkey
ID: 8105580
the first part of your question, i do not understand. can you be more clear? are you trying to prevent people from changing the local admin password on your member servers?

the second part of your question is a little more clear.

you can push password changes to local accounts, but it would require the use of a script, i believe.

before we go any further, is this what you want to do? and can you clarify the first part of your question?
0
 
LVL 1

Author Comment

by:GlobalFax
ID: 8105704
Not prevent someone from changing.  We currently do not change local administrator passwords, and security team wants to know reasons not to implement change policies for local Administrator.  

My concern is that we have various services running on servers that use the local administrator user ID, would changing passwords cause any problems to those services.  If not, changing 145 administrator passwords every 30 days can be hectic in remembering the passwords if and whenever we need to use it.
0
 
LVL 6

Expert Comment

by:night_monkey
ID: 8105798
global, i'm sorry that i'm still not entirely certain what you're asking.

but i think you want to know why changing the local admin password is a bad idea, right?

one thing i do understand clearly though, is the part about services running under the local admin account. to answer that, yes it is possible that the application using the local admin account could be affected if the password changes. since you enter the password when you configure the program, that is the password it will use when it runs. clearly, if the password changes, you're going to run into problems.

this is probably the biggest drawback to changing the local admin password.

and as you've stated, going to 145 machines and changing the password for the local admin account would be quite time consuming.

as i said, though, i believe it's possible to change the local admin passwords by using a login script and tying it to a group policy. there are no builtin group policy settings for changing local admin passwords.

so this, too, would be cumbersome.

is that what you were asking?

0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 
LVL 6

Expert Comment

by:night_monkey
ID: 8105805
there are security related advantages to changing the local admin passwords regularly, of course, though.

just wanted to add that.

-nm
0
 
LVL 1

Author Comment

by:GlobalFax
ID: 8105841
Understood on the last comment about advantanges.  That is basically what I am looking for Pros/Cons (Advantages/Disadvantages) in selecting to change or not to change passwords.  Would Microsoft or SANS or any other entity have any referenced document to assist in makig the decision.  The Committee (Including the CIO) is looking for written documents stating such to make that determination.
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8105870
Cusrmgr.exe is a tool in the resource kit that you could use to change the passwords remotely.. However, I agree that cganging this every 30 days is going to cause problems.  If the passwords follow stringent guidelines and are more than ten characters long, involve alpha and non-alphnumeric characters and are changed whenevr someone leaves employment or changes positions I do not see a good argument for changing them that frequently.   Your going to cause problesm for systems running Exchange, SQL and any other app that was setup to use the Admin account.  Who is going to cover the cost of the added overhead of your department having to take on this task along with the rest of what's on your plate?
0
 
LVL 6

Expert Comment

by:night_monkey
ID: 8105883
I haven't been able to find any white papers yet, but I did find this, which makes the process easier, and negates, somewhat, what I said earlier about the intensiveness of changing the local admin password on multiple machines.

Have a look:

http://support.microsoft.com/default.aspx?scid=kb;en-us;272530

I'm going to use it myself!

-nm
0
 
LVL 6

Accepted Solution

by:
night_monkey earned 248 total points
ID: 8105904
from Microsoft:

Local administrative password

 You must know the local computer's administrative password that was used when the backup was created. If you do not have this information, you cannot log on to the computer and after it is restored to establish a domain account. If you are not part of the domain, you cannot use a domain account. This applies even if you are the domain administrator. The local administrator's password is also required to restore the System State on a domain controller.
 
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/sbs/plan/sbspni5h.asp
0
 
LVL 6

Expert Comment

by:night_monkey
ID: 8105916
wow, msgeek beat me by less than 2 minutes on that last one.
=^)
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8105964
:)
0
 
LVL 1

Author Comment

by:GlobalFax
ID: 8106124
Good feedback, are there anymore.

Second question, how can I split the points for you guys?
0
 
LVL 6

Expert Comment

by:night_monkey
ID: 8106150
you can post a 0 point question in the community support forum that includes the request to split the points for us, and a link to this question.
0
 

Expert Comment

by:SpideyMod
ID: 8107135
A request to split has been made at: http://www.experts-exchange.com/Community_Support/Q_20545453.html
50%/50% to "Night Monkey" and "MSGeek"

I have reduced the original point value to half (62), removed 1 point from your account.  Now you can select one expert's answer.  Then create a new "points for expertname re 20545320" (replace expertname with the other expert's name).  Make sure you create the new question in the same area as this question: http://www.experts-exchange.com/Security/Win_Security/

Once this is done, copy the URL for the new question, return here to post it so the other expert gets an email notification and can find the question.

If you need help with this or if all experts do not receive their points, somebody please let me know by posting here.  

Thanks.

SpideyMod
Community Support Moderator @Experts Exchange
0
 
LVL 1

Author Comment

by:GlobalFax
ID: 8107411
Thanks for the link!
0
 
LVL 1

Author Comment

by:GlobalFax
ID: 8107479
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8110856
Thanks, glad I could help!
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question