Solved

Domain admin password change - impact prediction

Posted on 2013-06-19
7
1,269 Views
Last Modified: 2013-07-01
Hi,

One of our enterprise customers wishes to change his Domain administrator password.
Legitimate as it may sound, LOT'S of stuff depended on this, and I wish to gather all the dependencies beforehand.

Is there a tool or a way to scan the LAN (which is quite big, around ~200 servers and ~150 workstations with ~70 network segments) and get a clear output where this user is being used, especially windows services wise, and all other dependencies?

Thanks in advance
0
Comment
Question by:IT_Group1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39259599
0
 
LVL 120

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 500 total points
ID: 39259709
We had a recent question here on EE, and the only way would be to Enable Auditing on the Domain and check to see what fails, after the event after changing the password. (as difficult as that is, in that it could break service!).

and also check your documentation, as to what has been set to use the Domain administrator password!

We recommend that specific Service Account userids and passwords are used for each service. e.g. service_exchange for Exchange, service_vcenter for vCenter Server etc

you can also use Account Lockout Status if the account gets locked.

http://www.microsoft.com/en-gb/download/details.aspx?id=15201
0
 

Author Comment

by:IT_Group1
ID: 39289718
Guys,
Sorry for the late reply, and thanks for your feedback.

Isn't there a tool (even 3rd party / Microsoft) which scans the LAN with the current domain admin cred's and gives an output of the current services which relyas on a specific user?

BTW, I checked the PowerShell option: Get-ServiceAccountUsage (http://blogs.technet.com/b/isrpfeplat/archive/2012/01/02/powershell-get-serviceaccountusage.aspx), but I'm not sure which parameters should i change (Implicit / Explicit).

Thanks in advance
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 120
ID: 39289751
Isn't there a tool (even 3rd party / Microsoft) which scans the LAN with the current domain admin cred's and gives an output of the current services which relyas on a specific user?

- Not that I'm aware of, it would be a security risk if there was!

you actually want to run both Implicit  & Explicit, but you have got to run that against every device that you think us using  Admin credentials!

We prefer the audit approach, and check all servers, manually, and change over to a Service_Account_ServiceName Account and password stored in the valut.
0
 

Author Comment

by:IT_Group1
ID: 39289771
hanccocka tnx.
So what you're suggesting is to:

1. Enable audit on the domain
2. Change domain admin pass
3. Check what fails, which means which servers are unable to login with specific services

Did I get it right?
0
 
LVL 120
ID: 39289776
That's correct, you will be able to see by the Audit Attempts. We do the donkey work first, and audit, and check each server.
0
 

Author Comment

by:IT_Group1
ID: 39289786
I'll do it, but it seems odd that there isn't a tool which i can run and do the whole process in a more elegant fashion...
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question