Changing service account password

In the past we had Exchange 5.5 and had an admin service account for it
We have now finished migrating all exchange 5.5 users to exchange 2003 sp1 and are in native mode.

All our exchange 2003 servers are installed using the admin account.

Can I change the password of the admin account will it effect any services or anything else in exchange 2003
Who is Participating?
ikm7176Sr. IT ManagerCommented:


Adding my 2 cents...

The following information is taken from the Exchange 2003 Technical Reference Guide. (Excellent resource provided by Microsoft)

Exchange Server 2003 services run under the LocalSystem account. This has the following security implications:
•      No extra services account or password changes required   The LocalSystem account (NT AUTHORITY\LocalSystem) always exists and has a random hexadecimal number as the password. This password changes automatically every seven days, so you do not need to create a services account in Active Directory before you install Exchange Server 2003 or change a services password at frequent intervals.
•      Full control to all local resources   Because Exchange Server 2003 services have full control over all local resources, these services usually have unrestricted access to the registry database, IIS metabase, and the file system. This is not the case, however, if the special Windows account SYSTEM or the Everyone account is explicitly denied access, which is not recommended. Thus, if Exchange 2003 is installed on a domain controller, Exchange Server 2003 services have full access to Active Directory, because the domain controller hosts a directory replica, and LocalSystem has complete access to local resources.
Most security-conscious organizations do not install Exchange Server 2003 on a domain controller, because this installation does not enable separate administration of Exchange Server 2003 and Active Directory.

•      LocalSystem enables access to local resources only   When a service runs under the LocalSystem account, it can access only local resources, unless another account is used for network access. Therefore, services that run under LocalSystem use the NetworkService account for network access. The name of the account is NT AUTHORITY\NetworkService. This account does not have a password.
The NetworkService account corresponds to the computer account of the local computer in the domain. An Exchange service that runs in the security context of the LocalSystem account uses the local computer account credentials when accessing domain resources, such as Active Directory, over the network. Thus, Exchange Server 2003 has substantially fewer privileges on a member server than on a domain controller, because computer accounts by default have very few privileges and do not belong to any groups. The default configuration for computer accounts permits only minimal access to Active Directory.
To address this issue and grant the computer account the required permissions, Exchange Server 2003 creates the following two special security groups in Active Directory:
•      Exchange Domain Servers   Exchange Domain Servers is a global security group that contains the computer accounts of all servers running Exchange Server in a domain.
•      Exchange Enterprise Servers   Exchange Enterprise Servers is a local security group that contains all global Exchange Domain Servers groups in the forest. This security group grants access to the required resources in the local domain for all Exchange computer accounts.
Do not rename or move the Exchange Domain Servers or Exchange Enterprise Servers security groups, and do not remove computer accounts of existing servers running Exchange from these groups

Download the guide and read it once

cheers !

You can change it and should not have any adverse effects. Just make sure that you change the passwords for any services that use that account. When you have done that, restart the services and make sure that they start properly.

dvrdn is correct.
Exchange 2000 and 2003 uses "local system account" instead of an actual Service account like in Exchange 5.5.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

cdayaAuthor Commented:
One more question before i give the points.
Is there a way to find out if any server is using this account as service account. Can i run any kind of script.
ikm7176Sr. IT ManagerCommented:
I dont know if there is any script for this.

As explained by dvrdn, you can go to service tool from control panel-> Administrative tools-> Services. Here you can sort the column 'Log on As" to list the service accounts for each service installed. Here you can find the account responisible for controlling eacth service.  


The user name and password of the service account are specified at the time the service is installed. SCM stores the user name in a REG_SZ registry value named ObjectName within the Registry key of the individual service (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<service name>). The password is in a secure portion of Local Security Authority (LSA). You can change the service account in the Services tool, using the Log On tab.

cdayaAuthor Commented:
             I am aware of going into services on each server and checking. I was looking for more of a script just check if any server in our domain has the admin account attached to the service. As we have 65 servers it would be can hard to go one by one.
I guess there isnt. Thanks for your input
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.