Changing the active directory domain admin's password

Hello everyone, I need to change our companies domain admin, enterprise admin and exchange admin's password soon as a staff change is coming very soon.

I've heard and read stories (most scary!) online how you shouldn't do this and there several services, programs, and more tied to these users accounts that are contingent on that user account and can cause problems..(makes sense).

I've been steadily fixing poor past admin practices and separating out accounts for certain services/programs instead of what we have now, just the one user ID and one password that everything's tied to.

I'm running Windows Server 2008 R2 standard (all my domain controllers) and have several 2003 Window servers in the mix with various apps like SQL, SharePoint, Exchange 2007 to name a few.

If I just right click on that domain admin/enterprise user account, did change password I guess I could just continuously watch event logs and correct one by one anything upset or failing.  Pretty much concerned about the impact and any surprises or your experiences with doing this would be VERY welcomed.   Thanks again everyone!
jbishop2446bAsked:
Who is Participating?
 
GlobalStrataConnect With a Mentor Commented:
I have worked in several environments where this is done every 3-6 months in one night.  Yes, this is normally done after hours and the easiest way we always did this is using a script.  But before doing this:

1. Inventory your servers
2. Check the Services.msc for any services using accounts to start up
3. Check any Scheduled Tasks that may be running on servers using accounts
4. Check Backup agents since in the program they often configure accounts and password with access to the particular servers

Once you have that, you can establish a plan of attack.  If the environment is big, eventually you want to script this.
0
 
Mike KlineCommented:
I'd do it after hours, that is the biggest mistake people make.  If there is a service using it that you don't know of then you can catch it while users are not around.

There is no real easy way to find every service that could be using the account.  This is a reason Microsoft created managed service accounts in 2008 R2 and group managed service accounts coming in Windows 8...this can be a real issue.

Thanks

Mike
0
 
emadallanCommented:
to avoid any problems related to Applications that relate to domain pass, you can instead create MSA( Managed Service Account)service account and bind it to your applications such as SQL, SharePoint...
here is a greate article that guide you to create this MSA account.
http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx

by creating this MSA account you no longer tied to domain admin, so you can change their passwords without any problems.
0
 
jbishop2446bAuthor Commented:
Thank you, I finally did this and like you said it's important to inventory each server, espcialy any server running SQL and Citrix servers.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.