?
Solved

Changing the active directory domain admin's password

Posted on 2012-03-22
4
Medium Priority
?
544 Views
Last Modified: 2012-09-28
Hello everyone, I need to change our companies domain admin, enterprise admin and exchange admin's password soon as a staff change is coming very soon.

I've heard and read stories (most scary!) online how you shouldn't do this and there several services, programs, and more tied to these users accounts that are contingent on that user account and can cause problems..(makes sense).

I've been steadily fixing poor past admin practices and separating out accounts for certain services/programs instead of what we have now, just the one user ID and one password that everything's tied to.

I'm running Windows Server 2008 R2 standard (all my domain controllers) and have several 2003 Window servers in the mix with various apps like SQL, SharePoint, Exchange 2007 to name a few.

If I just right click on that domain admin/enterprise user account, did change password I guess I could just continuously watch event logs and correct one by one anything upset or failing.  Pretty much concerned about the impact and any surprises or your experiences with doing this would be VERY welcomed.   Thanks again everyone!
0
Comment
Question by:jbishop2446b
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37753546
I'd do it after hours, that is the biggest mistake people make.  If there is a service using it that you don't know of then you can catch it while users are not around.

There is no real easy way to find every service that could be using the account.  This is a reason Microsoft created managed service accounts in 2008 R2 and group managed service accounts coming in Windows 8...this can be a real issue.

Thanks

Mike
0
 
LVL 6

Expert Comment

by:emadallan
ID: 37753548
to avoid any problems related to Applications that relate to domain pass, you can instead create MSA( Managed Service Account)service account and bind it to your applications such as SQL, SharePoint...
here is a greate article that guide you to create this MSA account.
http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx

by creating this MSA account you no longer tied to domain admin, so you can change their passwords without any problems.
0
 
LVL 3

Accepted Solution

by:
GlobalStrata earned 2000 total points
ID: 37755237
I have worked in several environments where this is done every 3-6 months in one night.  Yes, this is normally done after hours and the easiest way we always did this is using a script.  But before doing this:

1. Inventory your servers
2. Check the Services.msc for any services using accounts to start up
3. Check any Scheduled Tasks that may be running on servers using accounts
4. Check Backup agents since in the program they often configure accounts and password with access to the particular servers

Once you have that, you can establish a plan of attack.  If the environment is big, eventually you want to script this.
0
 

Author Closing Comment

by:jbishop2446b
ID: 38445369
Thank you, I finally did this and like you said it's important to inventory each server, espcialy any server running SQL and Citrix servers.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question