administrator password changed, now have 2 password.

I've come in to this a little after the fact and got somewhat befuddled with how it's come about and been unable to find similar issues with searches here or via google.

We have a Windows domain, mostly Server 2008 with HyperV virtualisation.
internal domain name is "fullcompany-name.local" which is quite some typing to we also use a shorter NETBIOS name "company" for user to login company\username format.

The sysadmin quit so passwords were changed (not sure how, it was before my time) and having been asked to do a security review I uncovered the following behaviour...
company\administrator  uses the new secure password
fullcompany-name\administrator still uses the old password (some services like Exchange have limited or no access / function with this login)
the only machine not following this trend is the DC which requires the new password in both username formats.
we've rebooted servers (not the DC) with no change

how can I resync the admin account?
also how do i prevent this happening again and make sure users aren;t leaving a trail of back doors behind them everytime they reset their password?
continumAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hypercat (Deb)Commented:
The first thing I would check is to make sure that  you're logging on to the domain with both of those logins.  Perhaps some of your servers are set to use a local admin account when logging on and that could explain how the old password might work with some servers, i.e., the local admin password wasn't changed.

Another way to fix this and avoid all possibilities of leaving an account with admin rights that you don't want to have would be to create a completely new enterprise/domain admin account (make sure it has all the memberships and rights that the built-in administrator account has), and then disable and/or delete all other administrator-level accounts, including local ones (or change the local admin passwords too).  You can't delete the built-in administrator accounts, so you need to just disable them, but you can delete others that have been created previous to your taking over.  Before disabling or deleting any accounts, though, you want to take an inventory of all of the services running on all your servers and change any that are set to log on using one of the accounts that you're going to disable so that they're using the new one you just created, or reset the passwords on the service account logons as appropriate.
0
McKnifeCommented:
There is no reason at all for this behavior.
With password hashes of the old account in place and in use, of course we could get in when offline, but not when connected to the domain. Very strange! I tried to reproduce it, but of course I did not run into the same problem, but all worked as expected in my test domain.

Please do a test: logon as some user and then try to connect a network drive using the fullcompany-name\administrator and the old password. What happens?
0
continumAuthor Commented:
sorry about the delay,
we're only in as an advisory at the moment although since posting the initial query the second IT guy has left so I can; teven find out how he changed the admin password as this is the only thing i can think caused the problem.

domain.local\administrator
netbios\administrator
are both domain logins, not local machine accounts.

even after reboots of some of the member servers (notably not the DC) the behaviour has not changed in regards the twin account/password.

I don't have a user access to try at this time but if i log on to the exchange server as domain.local\administrator (old password) then non of the exchange tools are available. use the updated netbios\administrator (new password) method and all exchange tools are fine.

I think it is too much of a coincidence that since the changes there are problems with an internal website (on "web-server") that hits an SQL back end (running on SQL-server)

the machines are all VM with disk configs like you wouldn't believe but they have been like that a long time so i think not the problem.

I'd like to reboot the DC and / or reset the password again but getting authorisation is so much red tape. Despite their functional issues and security risks :(
0
continumAuthor Commented:
The new client admin has had no joy with resolving this either so as part of a hardware upgrade project he is binning the entire domain and migrating all services to a clean AD setup which sorts out a few other "why is that like that?" config issues in a single sweep.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
continumAuthor Commented:
there is no reason that the problem should have presented in the first instance so a direct solution seems unavailable.
The client has a new internal admin who feels it is better to start a clean slate than continue to investigate untraceable oddities.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.