Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 410
  • Last Modified:

domain passwords

I've a documented set of domain passwords from an old manual I need to test to see if they are still active usernames/passwords. the user accounts they are associated against have been set so that their password does not expire. I dont know if the accounts are in use or what they purpose they are serving. What is the safest way to test if they passwords are valid, or what could go wrong testing the passwords (i.e. just itneractively logging in), and if there are operational risks, what are the best ways to prevetn such risks
0
pma111
Asked:
pma111
4 Solutions
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Passwords for domain users should not be written down.

If you need to reset a user password, you should do that within Active Directory. Your organization should have a policy in place for resetting passwords.
0
 
Chris PattersonSenior Systems EngineerCommented:
Just do interactive logons on a workstation, as long as you do not lock the accounts out you whould be just fine.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
There shouldn't be any risk at all just testing the passwords.  Depending on the account lockout policy, you may only want to try once or twice for each one...

Ideally, the account name or some administrative documentation would tell you what they're for, but that isn't always the case.  You can disable the accounts and see what stops working.  If something important breaks, just re-enable the account.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Mike KlineCommented:
These are just regular domain accounts?  There wouldn't be any risk just logging on (none that I can think of).  Are these accounts used for servcies and are they in any elevated groups (domain admin etc)

Thanks

Mike
0
 
pma111Author Commented:
Mike I suspect some are service accounts and some may also be in domain admins
0
 
Mike KlineCommented:
Yeah if they are in domain admins and have "never expire" checked that that points to someone setting that up for a service.  You can still log in with it to validate the password.

In 2008 R2 we do get managed service accounts which makes dealing with service accounts a little easier (the feature is ok but still needs work)

Thanks

Mike
0
 
pma111Author Commented:
Another thing that baffles me is the first I just checked is only 8 characters long, is in domain admins group..... yet the domain password policy is 10 characters. So how is a valid domain account working with a password of 8 characters? I was told you can exempt domain accounts from password expiry but I wasnt aware you could make a password exempt from pwd length?
0
 
Mike KlineCommented:
What I'm thinking is maybe the domain password policy used to be 8 characters at some point.  You are right in a 2003 domain only one password policy per domain (unless you use a third party PW program)

Thanks

Mike
0
 
pma111Author Commented:
It was perhaps once 8 characters. Are you saying if the account was set up previously when the old password policy was in place, that when you roll out a new policy, not all accounts have to adhere to it?

Could you list details of some of these 3rd party products.

I read something somewhere that you can deny READ access to a group policy somehow if you want users to be exempt from it but not sure how true that was.
0
 
Mike KlineCommented:
The two third party tools that I've seen are  http://www.anixis.com/, http://www.specopssoft.com/

So if the account was setup with the old policy then it would not force a change to 10 until the next time the password had to be changed and in this case the PW was set to never expire so it didn't have to be changed yet.

Deny read would not work for PW policy but that does work for other GPOs...known as security filtering

Thanks

Mike
0
 
pma111Author Commented:
I assume its the first scenario then, cool thanks we learn something new every day
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now