Solved

domain passwords

Posted on 2011-02-23
11
402 Views
Last Modified: 2013-11-05
I've a documented set of domain passwords from an old manual I need to test to see if they are still active usernames/passwords. the user accounts they are associated against have been set so that their password does not expire. I dont know if the accounts are in use or what they purpose they are serving. What is the safest way to test if they passwords are valid, or what could go wrong testing the passwords (i.e. just itneractively logging in), and if there are operational risks, what are the best ways to prevetn such risks
0
Comment
Question by:pma111
11 Comments
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 20 total points
ID: 34961181
Passwords for domain users should not be written down.

If you need to reset a user password, you should do that within Active Directory. Your organization should have a policy in place for resetting passwords.
0
 
LVL 7

Assisted Solution

by:Chris Patterson
Chris Patterson earned 50 total points
ID: 34961187
Just do interactive logons on a workstation, as long as you do not lock the accounts out you whould be just fine.
0
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 50 total points
ID: 34961193
There shouldn't be any risk at all just testing the passwords.  Depending on the account lockout policy, you may only want to try once or twice for each one...

Ideally, the account name or some administrative documentation would tell you what they're for, but that isn't always the case.  You can disable the accounts and see what stops working.  If something important breaks, just re-enable the account.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 34961202
These are just regular domain accounts?  There wouldn't be any risk just logging on (none that I can think of).  Are these accounts used for servcies and are they in any elevated groups (domain admin etc)

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34961212
Mike I suspect some are service accounts and some may also be in domain admins
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 130 total points
ID: 34961273
Yeah if they are in domain admins and have "never expire" checked that that points to someone setting that up for a service.  You can still log in with it to validate the password.

In 2008 R2 we do get managed service accounts which makes dealing with service accounts a little easier (the feature is ok but still needs work)

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34961299
Another thing that baffles me is the first I just checked is only 8 characters long, is in domain admins group..... yet the domain password policy is 10 characters. So how is a valid domain account working with a password of 8 characters? I was told you can exempt domain accounts from password expiry but I wasnt aware you could make a password exempt from pwd length?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34961361
What I'm thinking is maybe the domain password policy used to be 8 characters at some point.  You are right in a 2003 domain only one password policy per domain (unless you use a third party PW program)

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34961396
It was perhaps once 8 characters. Are you saying if the account was set up previously when the old password policy was in place, that when you roll out a new policy, not all accounts have to adhere to it?

Could you list details of some of these 3rd party products.

I read something somewhere that you can deny READ access to a group policy somehow if you want users to be exempt from it but not sure how true that was.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34961421
The two third party tools that I've seen are  http://www.anixis.com/, http://www.specopssoft.com/

So if the account was setup with the old policy then it would not force a change to 10 until the next time the password had to be changed and in this case the PW was set to never expire so it didn't have to be changed yet.

Deny read would not work for PW policy but that does work for other GPOs...known as security filtering

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34961448
I assume its the first scenario then, cool thanks we learn something new every day
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question