Changing service account password

Posted on 2005-04-20
Last Modified: 2008-01-09
In the past we had Exchange 5.5 and had an admin service account for it
We have now finished migrating all exchange 5.5 users to exchange 2003 sp1 and are in native mode.

All our exchange 2003 servers are installed using the admin account.

Can I change the password of the admin account will it effect any services or anything else in exchange 2003
Question by:cdaya
    LVL 3

    Assisted Solution

    You can change it and should not have any adverse effects. Just make sure that you change the passwords for any services that use that account. When you have done that, restart the services and make sure that they start properly.

    LVL 27

    Assisted Solution

    dvrdn is correct.
    Exchange 2000 and 2003 uses "local system account" instead of an actual Service account like in Exchange 5.5.
    LVL 20

    Accepted Solution



    Adding my 2 cents...

    The following information is taken from the Exchange 2003 Technical Reference Guide. (Excellent resource provided by Microsoft)

    Exchange Server 2003 services run under the LocalSystem account. This has the following security implications:
    •      No extra services account or password changes required   The LocalSystem account (NT AUTHORITY\LocalSystem) always exists and has a random hexadecimal number as the password. This password changes automatically every seven days, so you do not need to create a services account in Active Directory before you install Exchange Server 2003 or change a services password at frequent intervals.
    •      Full control to all local resources   Because Exchange Server 2003 services have full control over all local resources, these services usually have unrestricted access to the registry database, IIS metabase, and the file system. This is not the case, however, if the special Windows account SYSTEM or the Everyone account is explicitly denied access, which is not recommended. Thus, if Exchange 2003 is installed on a domain controller, Exchange Server 2003 services have full access to Active Directory, because the domain controller hosts a directory replica, and LocalSystem has complete access to local resources.
    Most security-conscious organizations do not install Exchange Server 2003 on a domain controller, because this installation does not enable separate administration of Exchange Server 2003 and Active Directory.

    •      LocalSystem enables access to local resources only   When a service runs under the LocalSystem account, it can access only local resources, unless another account is used for network access. Therefore, services that run under LocalSystem use the NetworkService account for network access. The name of the account is NT AUTHORITY\NetworkService. This account does not have a password.
    The NetworkService account corresponds to the computer account of the local computer in the domain. An Exchange service that runs in the security context of the LocalSystem account uses the local computer account credentials when accessing domain resources, such as Active Directory, over the network. Thus, Exchange Server 2003 has substantially fewer privileges on a member server than on a domain controller, because computer accounts by default have very few privileges and do not belong to any groups. The default configuration for computer accounts permits only minimal access to Active Directory.
    To address this issue and grant the computer account the required permissions, Exchange Server 2003 creates the following two special security groups in Active Directory:
    •      Exchange Domain Servers   Exchange Domain Servers is a global security group that contains the computer accounts of all servers running Exchange Server in a domain.
    •      Exchange Enterprise Servers   Exchange Enterprise Servers is a local security group that contains all global Exchange Domain Servers groups in the forest. This security group grants access to the required resources in the local domain for all Exchange computer accounts.
    Do not rename or move the Exchange Domain Servers or Exchange Enterprise Servers security groups, and do not remove computer accounts of existing servers running Exchange from these groups

    Download the guide and read it once

    cheers !


    Author Comment

    One more question before i give the points.
    Is there a way to find out if any server is using this account as service account. Can i run any kind of script.
    LVL 20

    Expert Comment

    I dont know if there is any script for this.

    As explained by dvrdn, you can go to service tool from control panel-> Administrative tools-> Services. Here you can sort the column 'Log on As" to list the service accounts for each service installed. Here you can find the account responisible for controlling eacth service.  


    The user name and password of the service account are specified at the time the service is installed. SCM stores the user name in a REG_SZ registry value named ObjectName within the Registry key of the individual service (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<service name>). The password is in a secure portion of Local Security Authority (LSA). You can change the service account in the Services tool, using the Log On tab.


    Author Comment

                 I am aware of going into services on each server and checking. I was looking for more of a script just check if any server in our domain has the admin account attached to the service. As we have 65 servers it would be can hard to go one by one.
    I guess there isnt. Thanks for your input

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    The problems with reply email signatures

    Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

    Get an idea of what you should include in an email disclaimer with these Top 5 email disclaimer tips.
    To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now