?
Solved

domain passwords

Posted on 2011-02-23
11
Medium Priority
?
404 Views
Last Modified: 2013-11-05
I've a documented set of domain passwords from an old manual I need to test to see if they are still active usernames/passwords. the user accounts they are associated against have been set so that their password does not expire. I dont know if the accounts are in use or what they purpose they are serving. What is the safest way to test if they passwords are valid, or what could go wrong testing the passwords (i.e. just itneractively logging in), and if there are operational risks, what are the best ways to prevetn such risks
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 80 total points
ID: 34961181
Passwords for domain users should not be written down.

If you need to reset a user password, you should do that within Active Directory. Your organization should have a policy in place for resetting passwords.
0
 
LVL 7

Assisted Solution

by:Chris Patterson
Chris Patterson earned 200 total points
ID: 34961187
Just do interactive logons on a workstation, as long as you do not lock the accounts out you whould be just fine.
0
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 200 total points
ID: 34961193
There shouldn't be any risk at all just testing the passwords.  Depending on the account lockout policy, you may only want to try once or twice for each one...

Ideally, the account name or some administrative documentation would tell you what they're for, but that isn't always the case.  You can disable the accounts and see what stops working.  If something important breaks, just re-enable the account.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 57

Expert Comment

by:Mike Kline
ID: 34961202
These are just regular domain accounts?  There wouldn't be any risk just logging on (none that I can think of).  Are these accounts used for servcies and are they in any elevated groups (domain admin etc)

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34961212
Mike I suspect some are service accounts and some may also be in domain admins
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 520 total points
ID: 34961273
Yeah if they are in domain admins and have "never expire" checked that that points to someone setting that up for a service.  You can still log in with it to validate the password.

In 2008 R2 we do get managed service accounts which makes dealing with service accounts a little easier (the feature is ok but still needs work)

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34961299
Another thing that baffles me is the first I just checked is only 8 characters long, is in domain admins group..... yet the domain password policy is 10 characters. So how is a valid domain account working with a password of 8 characters? I was told you can exempt domain accounts from password expiry but I wasnt aware you could make a password exempt from pwd length?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34961361
What I'm thinking is maybe the domain password policy used to be 8 characters at some point.  You are right in a 2003 domain only one password policy per domain (unless you use a third party PW program)

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34961396
It was perhaps once 8 characters. Are you saying if the account was set up previously when the old password policy was in place, that when you roll out a new policy, not all accounts have to adhere to it?

Could you list details of some of these 3rd party products.

I read something somewhere that you can deny READ access to a group policy somehow if you want users to be exempt from it but not sure how true that was.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34961421
The two third party tools that I've seen are  http://www.anixis.com/, http://www.specopssoft.com/

So if the account was setup with the old policy then it would not force a change to 10 until the next time the password had to be changed and in this case the PW was set to never expire so it didn't have to be changed yet.

Deny read would not work for PW policy but that does work for other GPOs...known as security filtering

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34961448
I assume its the first scenario then, cool thanks we learn something new every day
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question