Changing the active directory domain admin's password

Hello everyone, I need to change our companies domain admin, enterprise admin and exchange admin's password soon as a staff change is coming very soon.

I've heard and read stories (most scary!) online how you shouldn't do this and there several services, programs, and more tied to these users accounts that are contingent on that user account and can cause problems..(makes sense).

I've been steadily fixing poor past admin practices and separating out accounts for certain services/programs instead of what we have now, just the one user ID and one password that everything's tied to.

I'm running Windows Server 2008 R2 standard (all my domain controllers) and have several 2003 Window servers in the mix with various apps like SQL, SharePoint, Exchange 2007 to name a few.

If I just right click on that domain admin/enterprise user account, did change password I guess I could just continuously watch event logs and correct one by one anything upset or failing.  Pretty much concerned about the impact and any surprises or your experiences with doing this would be VERY welcomed.   Thanks again everyone!
jbishop2446bAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
I'd do it after hours, that is the biggest mistake people make.  If there is a service using it that you don't know of then you can catch it while users are not around.

There is no real easy way to find every service that could be using the account.  This is a reason Microsoft created managed service accounts in 2008 R2 and group managed service accounts coming in Windows 8...this can be a real issue.

Thanks

Mike
0
emadallanCommented:
to avoid any problems related to Applications that relate to domain pass, you can instead create MSA( Managed Service Account)service account and bind it to your applications such as SQL, SharePoint...
here is a greate article that guide you to create this MSA account.
http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx

by creating this MSA account you no longer tied to domain admin, so you can change their passwords without any problems.
0
GlobalStrataCommented:
I have worked in several environments where this is done every 3-6 months in one night.  Yes, this is normally done after hours and the easiest way we always did this is using a script.  But before doing this:

1. Inventory your servers
2. Check the Services.msc for any services using accounts to start up
3. Check any Scheduled Tasks that may be running on servers using accounts
4. Check Backup agents since in the program they often configure accounts and password with access to the particular servers

Once you have that, you can establish a plan of attack.  If the environment is big, eventually you want to script this.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jbishop2446bAuthor Commented:
Thank you, I finally did this and like you said it's important to inventory each server, espcialy any server running SQL and Citrix servers.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.