[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 419
  • Last Modified:

Domain Administrator Password Change

All, we are looking at doing this soon, can anyone recommend any decent tools that will pull back info on where the admin account is used:

ie Scheduled Tasks, Services, apps etc

We would like this to be seamless as possible, any ideas?


2 Solutions
I don't think, such tools are available in the market. You need to identify those manually in all workstations and servers.

There are no tools available as far as I know to verify this. You can write a script for this and apply it on all servers/workstations you want to scan for the use of the domain admin account. The script can report it back to a central logfile or something. In my opinion this is the most effective way to accomplish this task.

For my understanding: why are domain admin accounts used for service accounts? Normally you won't use a domain admin account for this. Domain admin accounts may only be given to those persons who are responsible for maintenance across the domain, not for service accounts.


Indeed there is no simple way of doing this, which is why the recommended policy has always been NOT to use the administrator (or indeed any other "user" account for these purposes). You should create accounts specifically for the purpose, accounts which are not use by users for logon, and set these to have complex passwords that never expire.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

I stumbled across some scripts which may help - see http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_23919403.html

However, please head the previous advice and take the opportunity to create new accounts, specifically for the job.
To output scheduled tasks (not created with AT):

schtasks.exe /query /fo list /v > c:\scheduledTasks.txt

or just find if the admin is running it:

schtasks.exe /query /fo list /v | find "User"

I made a vbs-script to check for services some years ago. You are prompted for which server to control and the username. You need to run the script with a user that have privilage on the remote serveres. If you have alot of servers this job will take som time for you to complete. You can modify the script if you have many servers and make it read from a text file the server names to check against.

Dim Input
strUser = InputBox("User: ")
strComputer = InputBox("Check on server: ") 

WScript.Echo "Looking if " & strUser & " is running any services on " & strComputer

Set objWMIService = GetObject _
    ("winmgmts:\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
    ("Select * From Win32_Service Where StartName = '"& strUser &"'")
For Each objService in colServices
    Wscript.Echo objService.Name
msgbox "Done"

Open in new window

You can install GPO to enable audit policies on all servers and workstations. Then use a event log collector software to gather all the logs and trigger alerts on certain conditions, in this case the use of the administrator account.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now