Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

domain passwords

Posted on 2011-02-23
11
Medium Priority
?
405 Views
Last Modified: 2013-11-05
I've a documented set of domain passwords from an old manual I need to test to see if they are still active usernames/passwords. the user accounts they are associated against have been set so that their password does not expire. I dont know if the accounts are in use or what they purpose they are serving. What is the safest way to test if they passwords are valid, or what could go wrong testing the passwords (i.e. just itneractively logging in), and if there are operational risks, what are the best ways to prevetn such risks
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 80 total points
ID: 34961181
Passwords for domain users should not be written down.

If you need to reset a user password, you should do that within Active Directory. Your organization should have a policy in place for resetting passwords.
0
 
LVL 7

Assisted Solution

by:Chris Patterson
Chris Patterson earned 200 total points
ID: 34961187
Just do interactive logons on a workstation, as long as you do not lock the accounts out you whould be just fine.
0
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 200 total points
ID: 34961193
There shouldn't be any risk at all just testing the passwords.  Depending on the account lockout policy, you may only want to try once or twice for each one...

Ideally, the account name or some administrative documentation would tell you what they're for, but that isn't always the case.  You can disable the accounts and see what stops working.  If something important breaks, just re-enable the account.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 34961202
These are just regular domain accounts?  There wouldn't be any risk just logging on (none that I can think of).  Are these accounts used for servcies and are they in any elevated groups (domain admin etc)

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34961212
Mike I suspect some are service accounts and some may also be in domain admins
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 520 total points
ID: 34961273
Yeah if they are in domain admins and have "never expire" checked that that points to someone setting that up for a service.  You can still log in with it to validate the password.

In 2008 R2 we do get managed service accounts which makes dealing with service accounts a little easier (the feature is ok but still needs work)

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34961299
Another thing that baffles me is the first I just checked is only 8 characters long, is in domain admins group..... yet the domain password policy is 10 characters. So how is a valid domain account working with a password of 8 characters? I was told you can exempt domain accounts from password expiry but I wasnt aware you could make a password exempt from pwd length?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34961361
What I'm thinking is maybe the domain password policy used to be 8 characters at some point.  You are right in a 2003 domain only one password policy per domain (unless you use a third party PW program)

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34961396
It was perhaps once 8 characters. Are you saying if the account was set up previously when the old password policy was in place, that when you roll out a new policy, not all accounts have to adhere to it?

Could you list details of some of these 3rd party products.

I read something somewhere that you can deny READ access to a group policy somehow if you want users to be exempt from it but not sure how true that was.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34961421
The two third party tools that I've seen are  http://www.anixis.com/, http://www.specopssoft.com/

So if the account was setup with the old policy then it would not force a change to 10 until the next time the password had to be changed and in this case the PW was set to never expire so it didn't have to be changed yet.

Deny read would not work for PW policy but that does work for other GPOs...known as security filtering

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34961448
I assume its the first scenario then, cool thanks we learn something new every day
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question