Solved

Changing Windows Server 2008 R2 Domain Admin Password

Posted on 2015-01-12
3
380 Views
Last Modified: 2015-01-14
Recently had our main IT person left so we want to change the domain admin password.  We have one server in our environment, Server 2008R2.  We did some research on the impact and it looks like we need to double check any services/tasks that may be using the Admin account before changing the password.  So, we checked in Services and saw the backup software is using the Admin account.   Everything else listed is using Local System or Network Service.  Under Task Scheduler, we drill down to Task Scheduler Library, Microsoft, Windows, and see "Backup" running under the Admin account and nothing else.  Is there anything else we need to check for before changing the password?  And do we just log in as the admin and change it or is there another way it has to be done?  Thank you.
0
Comment
Question by:Jason92s
3 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 400 total points
ID: 40545718
First off you should not be using the domain admin username/password as a service account. Second you are correct, in regards to updating the password on any/all services/scheduled task that have passwords cached. You also might want to make sure that there are no scripts that run that use this username and password.

Changing a Domain Admin password in a well established environment should have no impact. Use service accounts for services and scheduled tasks. Also no one should be logging in with the domain admin account.

You should have something like this for users that need to have domain admin access.

Regular Account
wills

Domain Admin Account
admin-wills

Accounts should be separate IMO so that people don't mistakenly run a command from there regular login and mess things up. If they want to run administrative tasks or login to a server they should be using their admin-name account.

Now not everyone sets it up this way but i find that this is the more secure way of managing accounts.

Will.
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 50 total points
ID: 40545726
That should cover it.

To avoid such things in the future, might as well start now and create service accounts
One for the backup software to use, double check what rights it needs and have the user with those rights.
You might as well use the same backup account for the backup task.
0
 
LVL 3

Assisted Solution

by:roycbene
roycbene earned 50 total points
ID: 40545825
To add to Arnold's solution, service accounts DO NOT have to be Active Directory accounts. In fact, unless you are using them on multiple machines on the domain (i.e. if you are just using them to kick off scheduled tasks or something similar on the one server), then I would create the account on the relevant machine as a local user and give it the rights it needs.

-R
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question