Domain admin password change - impact prediction

Hi,

One of our enterprise customers wishes to change his Domain administrator password.
Legitimate as it may sound, LOT'S of stuff depended on this, and I wish to gather all the dependencies beforehand.

Is there a tool or a way to scan the LAN (which is quite big, around ~200 servers and ~150 workstations with ~70 network segments) and get a clear output where this user is being used, especially windows services wise, and all other dependencies?

Thanks in advance
IT_Group1Asked:
Who is Participating?
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
We had a recent question here on EE, and the only way would be to Enable Auditing on the Domain and check to see what fails, after the event after changing the password. (as difficult as that is, in that it could break service!).

and also check your documentation, as to what has been set to use the Domain administrator password!

We recommend that specific Service Account userids and passwords are used for each service. e.g. service_exchange for Exchange, service_vcenter for vCenter Server etc

you can also use Account Lockout Status if the account gets locked.

http://www.microsoft.com/en-gb/download/details.aspx?id=15201
0
 
Haresh NikumbhSr. Tech leadCommented:
0
 
IT_Group1Author Commented:
Guys,
Sorry for the late reply, and thanks for your feedback.

Isn't there a tool (even 3rd party / Microsoft) which scans the LAN with the current domain admin cred's and gives an output of the current services which relyas on a specific user?

BTW, I checked the PowerShell option: Get-ServiceAccountUsage (http://blogs.technet.com/b/isrpfeplat/archive/2012/01/02/powershell-get-serviceaccountusage.aspx), but I'm not sure which parameters should i change (Implicit / Explicit).

Thanks in advance
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Isn't there a tool (even 3rd party / Microsoft) which scans the LAN with the current domain admin cred's and gives an output of the current services which relyas on a specific user?

- Not that I'm aware of, it would be a security risk if there was!

you actually want to run both Implicit  & Explicit, but you have got to run that against every device that you think us using  Admin credentials!

We prefer the audit approach, and check all servers, manually, and change over to a Service_Account_ServiceName Account and password stored in the valut.
0
 
IT_Group1Author Commented:
hanccocka tnx.
So what you're suggesting is to:

1. Enable audit on the domain
2. Change domain admin pass
3. Check what fails, which means which servers are unable to login with specific services

Did I get it right?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
That's correct, you will be able to see by the Audit Attempts. We do the donkey work first, and audit, and check each server.
0
 
IT_Group1Author Commented:
I'll do it, but it seems odd that there isn't a tool which i can run and do the whole process in a more elegant fashion...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.