Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Domain admin password change - impact prediction

Posted on 2013-06-19
7
Medium Priority
?
1,334 Views
Last Modified: 2013-07-01
Hi,

One of our enterprise customers wishes to change his Domain administrator password.
Legitimate as it may sound, LOT'S of stuff depended on this, and I wish to gather all the dependencies beforehand.

Is there a tool or a way to scan the LAN (which is quite big, around ~200 servers and ~150 workstations with ~70 network segments) and get a clear output where this user is being used, especially windows services wise, and all other dependencies?

Thanks in advance
0
Comment
Question by:IT_Group1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39259599
0
 
LVL 123

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 2000 total points
ID: 39259709
We had a recent question here on EE, and the only way would be to Enable Auditing on the Domain and check to see what fails, after the event after changing the password. (as difficult as that is, in that it could break service!).

and also check your documentation, as to what has been set to use the Domain administrator password!

We recommend that specific Service Account userids and passwords are used for each service. e.g. service_exchange for Exchange, service_vcenter for vCenter Server etc

you can also use Account Lockout Status if the account gets locked.

http://www.microsoft.com/en-gb/download/details.aspx?id=15201
0
 

Author Comment

by:IT_Group1
ID: 39289718
Guys,
Sorry for the late reply, and thanks for your feedback.

Isn't there a tool (even 3rd party / Microsoft) which scans the LAN with the current domain admin cred's and gives an output of the current services which relyas on a specific user?

BTW, I checked the PowerShell option: Get-ServiceAccountUsage (http://blogs.technet.com/b/isrpfeplat/archive/2012/01/02/powershell-get-serviceaccountusage.aspx), but I'm not sure which parameters should i change (Implicit / Explicit).

Thanks in advance
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 123
ID: 39289751
Isn't there a tool (even 3rd party / Microsoft) which scans the LAN with the current domain admin cred's and gives an output of the current services which relyas on a specific user?

- Not that I'm aware of, it would be a security risk if there was!

you actually want to run both Implicit  & Explicit, but you have got to run that against every device that you think us using  Admin credentials!

We prefer the audit approach, and check all servers, manually, and change over to a Service_Account_ServiceName Account and password stored in the valut.
0
 

Author Comment

by:IT_Group1
ID: 39289771
hanccocka tnx.
So what you're suggesting is to:

1. Enable audit on the domain
2. Change domain admin pass
3. Check what fails, which means which servers are unable to login with specific services

Did I get it right?
0
 
LVL 123
ID: 39289776
That's correct, you will be able to see by the Audit Attempts. We do the donkey work first, and audit, and check each server.
0
 

Author Comment

by:IT_Group1
ID: 39289786
I'll do it, but it seems odd that there isn't a tool which i can run and do the whole process in a more elegant fashion...
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question