Windows 2000 local administrator password

In a Windows 2000 Active Directory environment, are there any documentation that you would not want to have the local administrator user to change password every set number of days, i.e. 30 days.  In our environment there we have over 145 W2K servers spread out in different sites, changing passwords would be a pain.  Please provide experiences and or point me to links referencing such.  Also, would it be possible to push local administrator password changes to all servers at once, perhaps in a Group Policy or something like that, thanks!
LVL 1
GlobalFaxAsked:
Who is Participating?
 
night_monkeyConnect With a Mentor Commented:
from Microsoft:

Local administrative password

 You must know the local computer's administrative password that was used when the backup was created. If you do not have this information, you cannot log on to the computer and after it is restored to establish a domain account. If you are not part of the domain, you cannot use a domain account. This applies even if you are the domain administrator. The local administrator's password is also required to restore the System State on a domain controller.
 
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/sbs/plan/sbspni5h.asp
0
 
night_monkeyCommented:
the first part of your question, i do not understand. can you be more clear? are you trying to prevent people from changing the local admin password on your member servers?

the second part of your question is a little more clear.

you can push password changes to local accounts, but it would require the use of a script, i believe.

before we go any further, is this what you want to do? and can you clarify the first part of your question?
0
 
GlobalFaxAuthor Commented:
Not prevent someone from changing.  We currently do not change local administrator passwords, and security team wants to know reasons not to implement change policies for local Administrator.  

My concern is that we have various services running on servers that use the local administrator user ID, would changing passwords cause any problems to those services.  If not, changing 145 administrator passwords every 30 days can be hectic in remembering the passwords if and whenever we need to use it.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
night_monkeyCommented:
global, i'm sorry that i'm still not entirely certain what you're asking.

but i think you want to know why changing the local admin password is a bad idea, right?

one thing i do understand clearly though, is the part about services running under the local admin account. to answer that, yes it is possible that the application using the local admin account could be affected if the password changes. since you enter the password when you configure the program, that is the password it will use when it runs. clearly, if the password changes, you're going to run into problems.

this is probably the biggest drawback to changing the local admin password.

and as you've stated, going to 145 machines and changing the password for the local admin account would be quite time consuming.

as i said, though, i believe it's possible to change the local admin passwords by using a login script and tying it to a group policy. there are no builtin group policy settings for changing local admin passwords.

so this, too, would be cumbersome.

is that what you were asking?

0
 
night_monkeyCommented:
there are security related advantages to changing the local admin passwords regularly, of course, though.

just wanted to add that.

-nm
0
 
GlobalFaxAuthor Commented:
Understood on the last comment about advantanges.  That is basically what I am looking for Pros/Cons (Advantages/Disadvantages) in selecting to change or not to change passwords.  Would Microsoft or SANS or any other entity have any referenced document to assist in makig the decision.  The Committee (Including the CIO) is looking for written documents stating such to make that determination.
0
 
MSGeekCommented:
Cusrmgr.exe is a tool in the resource kit that you could use to change the passwords remotely.. However, I agree that cganging this every 30 days is going to cause problems.  If the passwords follow stringent guidelines and are more than ten characters long, involve alpha and non-alphnumeric characters and are changed whenevr someone leaves employment or changes positions I do not see a good argument for changing them that frequently.   Your going to cause problesm for systems running Exchange, SQL and any other app that was setup to use the Admin account.  Who is going to cover the cost of the added overhead of your department having to take on this task along with the rest of what's on your plate?
0
 
night_monkeyCommented:
I haven't been able to find any white papers yet, but I did find this, which makes the process easier, and negates, somewhat, what I said earlier about the intensiveness of changing the local admin password on multiple machines.

Have a look:

http://support.microsoft.com/default.aspx?scid=kb;en-us;272530

I'm going to use it myself!

-nm
0
 
night_monkeyCommented:
wow, msgeek beat me by less than 2 minutes on that last one.
=^)
0
 
MSGeekCommented:
:)
0
 
GlobalFaxAuthor Commented:
Good feedback, are there anymore.

Second question, how can I split the points for you guys?
0
 
night_monkeyCommented:
you can post a 0 point question in the community support forum that includes the request to split the points for us, and a link to this question.
0
 
SpideyModCommented:
A request to split has been made at: http://www.experts-exchange.com/Community_Support/Q_20545453.html
50%/50% to "Night Monkey" and "MSGeek"

I have reduced the original point value to half (62), removed 1 point from your account.  Now you can select one expert's answer.  Then create a new "points for expertname re 20545320" (replace expertname with the other expert's name).  Make sure you create the new question in the same area as this question: http://www.experts-exchange.com/Security/Win_Security/

Once this is done, copy the URL for the new question, return here to post it so the other expert gets an email notification and can find the question.

If you need help with this or if all experts do not receive their points, somebody please let me know by posting here.  

Thanks.

SpideyMod
Community Support Moderator @Experts Exchange
0
 
GlobalFaxAuthor Commented:
Thanks for the link!
0
 
GlobalFaxAuthor Commented:
0
 
MSGeekCommented:
Thanks, glad I could help!
0
All Courses

From novice to tech pro — start learning today.