Solved

Domain admin password change - impact prediction

Posted on 2013-06-19
7
1,235 Views
Last Modified: 2013-07-01
Hi,

One of our enterprise customers wishes to change his Domain administrator password.
Legitimate as it may sound, LOT'S of stuff depended on this, and I wish to gather all the dependencies beforehand.

Is there a tool or a way to scan the LAN (which is quite big, around ~200 servers and ~150 workstations with ~70 network segments) and get a clear output where this user is being used, especially windows services wise, and all other dependencies?

Thanks in advance
0
Comment
Question by:IT_Group1
  • 3
  • 3
7 Comments
 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39259599
0
 
LVL 119

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 500 total points
ID: 39259709
We had a recent question here on EE, and the only way would be to Enable Auditing on the Domain and check to see what fails, after the event after changing the password. (as difficult as that is, in that it could break service!).

and also check your documentation, as to what has been set to use the Domain administrator password!

We recommend that specific Service Account userids and passwords are used for each service. e.g. service_exchange for Exchange, service_vcenter for vCenter Server etc

you can also use Account Lockout Status if the account gets locked.

http://www.microsoft.com/en-gb/download/details.aspx?id=15201
0
 

Author Comment

by:IT_Group1
ID: 39289718
Guys,
Sorry for the late reply, and thanks for your feedback.

Isn't there a tool (even 3rd party / Microsoft) which scans the LAN with the current domain admin cred's and gives an output of the current services which relyas on a specific user?

BTW, I checked the PowerShell option: Get-ServiceAccountUsage (http://blogs.technet.com/b/isrpfeplat/archive/2012/01/02/powershell-get-serviceaccountusage.aspx), but I'm not sure which parameters should i change (Implicit / Explicit).

Thanks in advance
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 119
ID: 39289751
Isn't there a tool (even 3rd party / Microsoft) which scans the LAN with the current domain admin cred's and gives an output of the current services which relyas on a specific user?

- Not that I'm aware of, it would be a security risk if there was!

you actually want to run both Implicit  & Explicit, but you have got to run that against every device that you think us using  Admin credentials!

We prefer the audit approach, and check all servers, manually, and change over to a Service_Account_ServiceName Account and password stored in the valut.
0
 

Author Comment

by:IT_Group1
ID: 39289771
hanccocka tnx.
So what you're suggesting is to:

1. Enable audit on the domain
2. Change domain admin pass
3. Check what fails, which means which servers are unable to login with specific services

Did I get it right?
0
 
LVL 119
ID: 39289776
That's correct, you will be able to see by the Audit Attempts. We do the donkey work first, and audit, and check each server.
0
 

Author Comment

by:IT_Group1
ID: 39289786
I'll do it, but it seems odd that there isn't a tool which i can run and do the whole process in a more elegant fashion...
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question