Solved

Changing the active directory domain admin's password

Posted on 2012-03-22
4
537 Views
Last Modified: 2012-09-28
Hello everyone, I need to change our companies domain admin, enterprise admin and exchange admin's password soon as a staff change is coming very soon.

I've heard and read stories (most scary!) online how you shouldn't do this and there several services, programs, and more tied to these users accounts that are contingent on that user account and can cause problems..(makes sense).

I've been steadily fixing poor past admin practices and separating out accounts for certain services/programs instead of what we have now, just the one user ID and one password that everything's tied to.

I'm running Windows Server 2008 R2 standard (all my domain controllers) and have several 2003 Window servers in the mix with various apps like SQL, SharePoint, Exchange 2007 to name a few.

If I just right click on that domain admin/enterprise user account, did change password I guess I could just continuously watch event logs and correct one by one anything upset or failing.  Pretty much concerned about the impact and any surprises or your experiences with doing this would be VERY welcomed.   Thanks again everyone!
0
Comment
Question by:jbishop2446b
4 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37753546
I'd do it after hours, that is the biggest mistake people make.  If there is a service using it that you don't know of then you can catch it while users are not around.

There is no real easy way to find every service that could be using the account.  This is a reason Microsoft created managed service accounts in 2008 R2 and group managed service accounts coming in Windows 8...this can be a real issue.

Thanks

Mike
0
 
LVL 6

Expert Comment

by:emadallan
ID: 37753548
to avoid any problems related to Applications that relate to domain pass, you can instead create MSA( Managed Service Account)service account and bind it to your applications such as SQL, SharePoint...
here is a greate article that guide you to create this MSA account.
http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx

by creating this MSA account you no longer tied to domain admin, so you can change their passwords without any problems.
0
 
LVL 3

Accepted Solution

by:
GlobalStrata earned 500 total points
ID: 37755237
I have worked in several environments where this is done every 3-6 months in one night.  Yes, this is normally done after hours and the easiest way we always did this is using a script.  But before doing this:

1. Inventory your servers
2. Check the Services.msc for any services using accounts to start up
3. Check any Scheduled Tasks that may be running on servers using accounts
4. Check Backup agents since in the program they often configure accounts and password with access to the particular servers

Once you have that, you can establish a plan of attack.  If the environment is big, eventually you want to script this.
0
 

Author Closing Comment

by:jbishop2446b
ID: 38445369
Thank you, I finally did this and like you said it's important to inventory each server, espcialy any server running SQL and Citrix servers.
0

Join & Write a Comment

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now