Solved

domain passwords

Posted on 2011-02-23
11
403 Views
Last Modified: 2013-11-05
I've a documented set of domain passwords from an old manual I need to test to see if they are still active usernames/passwords. the user accounts they are associated against have been set so that their password does not expire. I dont know if the accounts are in use or what they purpose they are serving. What is the safest way to test if they passwords are valid, or what could go wrong testing the passwords (i.e. just itneractively logging in), and if there are operational risks, what are the best ways to prevetn such risks
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 20 total points
ID: 34961181
Passwords for domain users should not be written down.

If you need to reset a user password, you should do that within Active Directory. Your organization should have a policy in place for resetting passwords.
0
 
LVL 7

Assisted Solution

by:Chris Patterson
Chris Patterson earned 50 total points
ID: 34961187
Just do interactive logons on a workstation, as long as you do not lock the accounts out you whould be just fine.
0
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 50 total points
ID: 34961193
There shouldn't be any risk at all just testing the passwords.  Depending on the account lockout policy, you may only want to try once or twice for each one...

Ideally, the account name or some administrative documentation would tell you what they're for, but that isn't always the case.  You can disable the accounts and see what stops working.  If something important breaks, just re-enable the account.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 34961202
These are just regular domain accounts?  There wouldn't be any risk just logging on (none that I can think of).  Are these accounts used for servcies and are they in any elevated groups (domain admin etc)

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34961212
Mike I suspect some are service accounts and some may also be in domain admins
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 130 total points
ID: 34961273
Yeah if they are in domain admins and have "never expire" checked that that points to someone setting that up for a service.  You can still log in with it to validate the password.

In 2008 R2 we do get managed service accounts which makes dealing with service accounts a little easier (the feature is ok but still needs work)

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34961299
Another thing that baffles me is the first I just checked is only 8 characters long, is in domain admins group..... yet the domain password policy is 10 characters. So how is a valid domain account working with a password of 8 characters? I was told you can exempt domain accounts from password expiry but I wasnt aware you could make a password exempt from pwd length?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34961361
What I'm thinking is maybe the domain password policy used to be 8 characters at some point.  You are right in a 2003 domain only one password policy per domain (unless you use a third party PW program)

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34961396
It was perhaps once 8 characters. Are you saying if the account was set up previously when the old password policy was in place, that when you roll out a new policy, not all accounts have to adhere to it?

Could you list details of some of these 3rd party products.

I read something somewhere that you can deny READ access to a group policy somehow if you want users to be exempt from it but not sure how true that was.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34961421
The two third party tools that I've seen are  http://www.anixis.com/, http://www.specopssoft.com/

So if the account was setup with the old policy then it would not force a change to 10 until the next time the password had to be changed and in this case the PW was set to never expire so it didn't have to be changed yet.

Deny read would not work for PW policy but that does work for other GPOs...known as security filtering

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34961448
I assume its the first scenario then, cool thanks we learn something new every day
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question