Solved

Domain admin password change - impact prediction

Posted on 2013-06-19
7
1,256 Views
Last Modified: 2013-07-01
Hi,

One of our enterprise customers wishes to change his Domain administrator password.
Legitimate as it may sound, LOT'S of stuff depended on this, and I wish to gather all the dependencies beforehand.

Is there a tool or a way to scan the LAN (which is quite big, around ~200 servers and ~150 workstations with ~70 network segments) and get a clear output where this user is being used, especially windows services wise, and all other dependencies?

Thanks in advance
0
Comment
Question by:IT_Group1
  • 3
  • 3
7 Comments
 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39259599
0
 
LVL 120

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 500 total points
ID: 39259709
We had a recent question here on EE, and the only way would be to Enable Auditing on the Domain and check to see what fails, after the event after changing the password. (as difficult as that is, in that it could break service!).

and also check your documentation, as to what has been set to use the Domain administrator password!

We recommend that specific Service Account userids and passwords are used for each service. e.g. service_exchange for Exchange, service_vcenter for vCenter Server etc

you can also use Account Lockout Status if the account gets locked.

http://www.microsoft.com/en-gb/download/details.aspx?id=15201
0
 

Author Comment

by:IT_Group1
ID: 39289718
Guys,
Sorry for the late reply, and thanks for your feedback.

Isn't there a tool (even 3rd party / Microsoft) which scans the LAN with the current domain admin cred's and gives an output of the current services which relyas on a specific user?

BTW, I checked the PowerShell option: Get-ServiceAccountUsage (http://blogs.technet.com/b/isrpfeplat/archive/2012/01/02/powershell-get-serviceaccountusage.aspx), but I'm not sure which parameters should i change (Implicit / Explicit).

Thanks in advance
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 120
ID: 39289751
Isn't there a tool (even 3rd party / Microsoft) which scans the LAN with the current domain admin cred's and gives an output of the current services which relyas on a specific user?

- Not that I'm aware of, it would be a security risk if there was!

you actually want to run both Implicit  & Explicit, but you have got to run that against every device that you think us using  Admin credentials!

We prefer the audit approach, and check all servers, manually, and change over to a Service_Account_ServiceName Account and password stored in the valut.
0
 

Author Comment

by:IT_Group1
ID: 39289771
hanccocka tnx.
So what you're suggesting is to:

1. Enable audit on the domain
2. Change domain admin pass
3. Check what fails, which means which servers are unable to login with specific services

Did I get it right?
0
 
LVL 120
ID: 39289776
That's correct, you will be able to see by the Audit Attempts. We do the donkey work first, and audit, and check each server.
0
 

Author Comment

by:IT_Group1
ID: 39289786
I'll do it, but it seems odd that there isn't a tool which i can run and do the whole process in a more elegant fashion...
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 7 - Password Expiry Message at Logon 6 45
RMS / DRM - differences? 3 45
Citrix Presentation Server 4.5 6 43
Windows 2012 R2 DFS Replication 12 35
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question