Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Changing service account password

Posted on 2005-04-20
6
Medium Priority
?
842 Views
Last Modified: 2008-01-09
In the past we had Exchange 5.5 and had an admin service account for it
We have now finished migrating all exchange 5.5 users to exchange 2003 sp1 and are in native mode.

All our exchange 2003 servers are installed using the admin account.

Can I change the password of the admin account will it effect any services or anything else in exchange 2003
0
Comment
Question by:cdaya
6 Comments
 
LVL 3

Assisted Solution

by:dvrdn
dvrdn earned 640 total points
ID: 13830303
You can change it and should not have any adverse effects. Just make sure that you change the passwords for any services that use that account. When you have done that, restart the services and make sure that they start properly.

 Doug
0
 
LVL 27

Assisted Solution

by:Exchange_Admin
Exchange_Admin earned 640 total points
ID: 13830474
dvrdn is correct.
Exchange 2000 and 2003 uses "local system account" instead of an actual Service account like in Exchange 5.5.
0
 
LVL 20

Accepted Solution

by:
ikm7176 earned 720 total points
ID: 13831977

BOTH THE ANSWERS ARE PERFECT...

Adding my 2 cents...

The following information is taken from the Exchange 2003 Technical Reference Guide. (Excellent resource provided by Microsoft)

Exchange Server 2003 services run under the LocalSystem account. This has the following security implications:
•      No extra services account or password changes required   The LocalSystem account (NT AUTHORITY\LocalSystem) always exists and has a random hexadecimal number as the password. This password changes automatically every seven days, so you do not need to create a services account in Active Directory before you install Exchange Server 2003 or change a services password at frequent intervals.
•      Full control to all local resources   Because Exchange Server 2003 services have full control over all local resources, these services usually have unrestricted access to the registry database, IIS metabase, and the file system. This is not the case, however, if the special Windows account SYSTEM or the Everyone account is explicitly denied access, which is not recommended. Thus, if Exchange 2003 is installed on a domain controller, Exchange Server 2003 services have full access to Active Directory, because the domain controller hosts a directory replica, and LocalSystem has complete access to local resources.
Note  
Most security-conscious organizations do not install Exchange Server 2003 on a domain controller, because this installation does not enable separate administration of Exchange Server 2003 and Active Directory.

•      LocalSystem enables access to local resources only   When a service runs under the LocalSystem account, it can access only local resources, unless another account is used for network access. Therefore, services that run under LocalSystem use the NetworkService account for network access. The name of the account is NT AUTHORITY\NetworkService. This account does not have a password.
The NetworkService account corresponds to the computer account of the local computer in the domain. An Exchange service that runs in the security context of the LocalSystem account uses the local computer account credentials when accessing domain resources, such as Active Directory, over the network. Thus, Exchange Server 2003 has substantially fewer privileges on a member server than on a domain controller, because computer accounts by default have very few privileges and do not belong to any groups. The default configuration for computer accounts permits only minimal access to Active Directory.
To address this issue and grant the computer account the required permissions, Exchange Server 2003 creates the following two special security groups in Active Directory:
•      Exchange Domain Servers   Exchange Domain Servers is a global security group that contains the computer accounts of all servers running Exchange Server in a domain.
•      Exchange Enterprise Servers   Exchange Enterprise Servers is a local security group that contains all global Exchange Domain Servers groups in the forest. This security group grants access to the required resources in the local domain for all Exchange computer accounts.
Note  
Do not rename or move the Exchange Domain Servers or Exchange Enterprise Servers security groups, and do not remove computer accounts of existing servers running Exchange from these groups


Download the guide and read it once

cheers !

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:cdaya
ID: 13839583
One more question before i give the points.
Is there a way to find out if any server is using this account as service account. Can i run any kind of script.
 
0
 
LVL 20

Expert Comment

by:ikm7176
ID: 13848722
I dont know if there is any script for this.

As explained by dvrdn, you can go to service tool from control panel-> Administrative tools-> Services. Here you can sort the column 'Log on As" to list the service accounts for each service installed. Here you can find the account responisible for controlling eacth service.  

Or

The user name and password of the service account are specified at the time the service is installed. SCM stores the user name in a REG_SZ registry value named ObjectName within the Registry key of the individual service (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<service name>). The password is in a secure portion of Local Security Authority (LSA). You can change the service account in the Services tool, using the Log On tab.

0
 

Author Comment

by:cdaya
ID: 13851615
ikm176
             I am aware of going into services on each server and checking. I was looking for more of a script just check if any server in our domain has the admin account attached to the service. As we have 65 servers it would be can hard to go one by one.
I guess there isnt. Thanks for your input
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
In this article, I will demonstrate that how to do a PST migration from Exchange Server to Office 365. This method allows importing one single PST, or multiple PST's at once.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question