Solved

administrator password changed, now have 2 password.

Posted on 2014-09-24
5
36 Views
Last Modified: 2015-07-21
I've come in to this a little after the fact and got somewhat befuddled with how it's come about and been unable to find similar issues with searches here or via google.

We have a Windows domain, mostly Server 2008 with HyperV virtualisation.
internal domain name is "fullcompany-name.local" which is quite some typing to we also use a shorter NETBIOS name "company" for user to login company\username format.

The sysadmin quit so passwords were changed (not sure how, it was before my time) and having been asked to do a security review I uncovered the following behaviour...
company\administrator  uses the new secure password
fullcompany-name\administrator still uses the old password (some services like Exchange have limited or no access / function with this login)
the only machine not following this trend is the DC which requires the new password in both username formats.
we've rebooted servers (not the DC) with no change

how can I resync the admin account?
also how do i prevent this happening again and make sure users aren;t leaving a trail of back doors behind them everytime they reset their password?
0
Comment
Question by:continum
  • 3
5 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 40342177
The first thing I would check is to make sure that  you're logging on to the domain with both of those logins.  Perhaps some of your servers are set to use a local admin account when logging on and that could explain how the old password might work with some servers, i.e., the local admin password wasn't changed.

Another way to fix this and avoid all possibilities of leaving an account with admin rights that you don't want to have would be to create a completely new enterprise/domain admin account (make sure it has all the memberships and rights that the built-in administrator account has), and then disable and/or delete all other administrator-level accounts, including local ones (or change the local admin passwords too).  You can't delete the built-in administrator accounts, so you need to just disable them, but you can delete others that have been created previous to your taking over.  Before disabling or deleting any accounts, though, you want to take an inventory of all of the services running on all your servers and change any that are set to log on using one of the accounts that you're going to disable so that they're using the new one you just created, or reset the passwords on the service account logons as appropriate.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40342379
There is no reason at all for this behavior.
With password hashes of the old account in place and in use, of course we could get in when offline, but not when connected to the domain. Very strange! I tried to reproduce it, but of course I did not run into the same problem, but all worked as expected in my test domain.

Please do a test: logon as some user and then try to connect a network drive using the fullcompany-name\administrator and the old password. What happens?
0
 

Author Comment

by:continum
ID: 40349472
sorry about the delay,
we're only in as an advisory at the moment although since posting the initial query the second IT guy has left so I can; teven find out how he changed the admin password as this is the only thing i can think caused the problem.

domain.local\administrator
netbios\administrator
are both domain logins, not local machine accounts.

even after reboots of some of the member servers (notably not the DC) the behaviour has not changed in regards the twin account/password.

I don't have a user access to try at this time but if i log on to the exchange server as domain.local\administrator (old password) then non of the exchange tools are available. use the updated netbios\administrator (new password) method and all exchange tools are fine.

I think it is too much of a coincidence that since the changes there are problems with an internal website (on "web-server") that hits an SQL back end (running on SQL-server)

the machines are all VM with disk configs like you wouldn't believe but they have been like that a long time so i think not the problem.

I'd like to reboot the DC and / or reset the password again but getting authorisation is so much red tape. Despite their functional issues and security risks :(
0
 

Accepted Solution

by:
continum earned 0 total points
ID: 40884564
The new client admin has had no joy with resolving this either so as part of a hardware upgrade project he is binning the entire domain and migrating all services to a clean AD setup which sorts out a few other "why is that like that?" config issues in a single sweep.
0
 

Author Closing Comment

by:continum
ID: 40891127
there is no reason that the problem should have presented in the first instance so a direct solution seems unavailable.
The client has a new internal admin who feels it is better to start a clean slate than continue to investigate untraceable oddities.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now