Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Domain Administrator Password Change Issues

Posted on 2004-04-13
5
245 Views
Last Modified: 2013-12-04
I recently read an answer to a question regarding issues when changing the Domain Administrators password.  The answer contained the following:

"If you are using Certificates and the Administrator uses these then make sure you change the password from the CTRL-ALT-DEL dialog or you may lose the link to the certificate and thus access   to anything controlled by that certificate (like encrypted files)."

This left me with this question:
Are certificates managed as a domain entity and if not what happens to certificates on other Domain Controllers once you change the Domain Administrators password from another Domain Controller as described above?

Thanks,
Darin
0
Comment
Question by:jdteichmer
  • 2
5 Comments
 
LVL 16

Accepted Solution

by:
JamesDS earned 125 total points
ID: 10814962
jdteichmer

This largely depends on how you have set up your certificate infrastructure, for full details try reading up on PKI (Public Key Infrstructure) and EFS (Encrypting File System).

However, to start you off...

Certificates are, by default managed as a domain entity, are stored in the active directory and "associated" with a given user account.

If you change the password of a user by logging in as that user and using the CTRL-ALT-DEL dialog then the "association" will follow the user account when the certificate is 're-jigged' for the new password. All changes to passwords and certificates are replicated throughout the domain - as you would expect them to be.

If in doubt - or if you want to test it out, create a new users account - with a certificate (and an encrypted file) and change the password.

I am not an expert in PKI and EFS so have any other experts got anything to add here?

Cheers

JamesDS
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10817425
Best Practices for the Encrypting File System
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316

You Cannot Decrypt Files After You Reset Your Password with a Password-Reset Disk
http://support.microsoft.com/default.aspx?scid=kb;en-us;308273

If you're a domain administrator - read HOW TO: Configure a Domain EFS Recovery Policy in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;313365

HOW TO: Back Up the Recovery Agent Encrypting File System Private Key in Windows 2000
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q241/2/01.asp&NoWebContent=1

Encrypting/Decrypting Data Across Systems
http://support.microsoft.com/default.aspx?scid=kb;en-us;277786

HOW TO: Encrypt Files and Folders on a Remote Windows 2000 Server
http://support.microsoft.com/default.aspx?scid=kb;en-us;320044

NTFS - EFS - Learn Windows 2000 Core Exams in 15 Minutes a Week - Administration of Resources - Part 1:
http://www.2000trainers.com/printarticle.aspx?articleID=20

Step-by-Step Guide to Administering Certificate Services - Nice introduction from Microsoft on Certificate Authorities. In this document you find simple practises where you install a stand-alone CA, do a backup and restore of it, issue certificates, revoke certificates and publish CRLs (Certificate Revocation Lists). 10 pages.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/howto/pubkeyox.asp 

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10817490
BTW: You also should consider, that some services on the server(s) is started with the domain administrators password, and maybe some scheduled tasks.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question