Solved

Changing the active directory domain admin's password

Posted on 2012-03-22
4
541 Views
Last Modified: 2012-09-28
Hello everyone, I need to change our companies domain admin, enterprise admin and exchange admin's password soon as a staff change is coming very soon.

I've heard and read stories (most scary!) online how you shouldn't do this and there several services, programs, and more tied to these users accounts that are contingent on that user account and can cause problems..(makes sense).

I've been steadily fixing poor past admin practices and separating out accounts for certain services/programs instead of what we have now, just the one user ID and one password that everything's tied to.

I'm running Windows Server 2008 R2 standard (all my domain controllers) and have several 2003 Window servers in the mix with various apps like SQL, SharePoint, Exchange 2007 to name a few.

If I just right click on that domain admin/enterprise user account, did change password I guess I could just continuously watch event logs and correct one by one anything upset or failing.  Pretty much concerned about the impact and any surprises or your experiences with doing this would be VERY welcomed.   Thanks again everyone!
0
Comment
Question by:jbishop2446b
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37753546
I'd do it after hours, that is the biggest mistake people make.  If there is a service using it that you don't know of then you can catch it while users are not around.

There is no real easy way to find every service that could be using the account.  This is a reason Microsoft created managed service accounts in 2008 R2 and group managed service accounts coming in Windows 8...this can be a real issue.

Thanks

Mike
0
 
LVL 6

Expert Comment

by:emadallan
ID: 37753548
to avoid any problems related to Applications that relate to domain pass, you can instead create MSA( Managed Service Account)service account and bind it to your applications such as SQL, SharePoint...
here is a greate article that guide you to create this MSA account.
http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx

by creating this MSA account you no longer tied to domain admin, so you can change their passwords without any problems.
0
 
LVL 3

Accepted Solution

by:
GlobalStrata earned 500 total points
ID: 37755237
I have worked in several environments where this is done every 3-6 months in one night.  Yes, this is normally done after hours and the easiest way we always did this is using a script.  But before doing this:

1. Inventory your servers
2. Check the Services.msc for any services using accounts to start up
3. Check any Scheduled Tasks that may be running on servers using accounts
4. Check Backup agents since in the program they often configure accounts and password with access to the particular servers

Once you have that, you can establish a plan of attack.  If the environment is big, eventually you want to script this.
0
 

Author Closing Comment

by:jbishop2446b
ID: 38445369
Thank you, I finally did this and like you said it's important to inventory each server, espcialy any server running SQL and Citrix servers.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question