?
Solved

Changing Windows Server 2008 R2 Domain Admin Password

Posted on 2015-01-12
3
Medium Priority
?
502 Views
Last Modified: 2015-01-14
Recently had our main IT person left so we want to change the domain admin password.  We have one server in our environment, Server 2008R2.  We did some research on the impact and it looks like we need to double check any services/tasks that may be using the Admin account before changing the password.  So, we checked in Services and saw the backup software is using the Admin account.   Everything else listed is using Local System or Network Service.  Under Task Scheduler, we drill down to Task Scheduler Library, Microsoft, Windows, and see "Backup" running under the Admin account and nothing else.  Is there anything else we need to check for before changing the password?  And do we just log in as the admin and change it or is there another way it has to be done?  Thank you.
0
Comment
Question by:Jason92s
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 1600 total points
ID: 40545718
First off you should not be using the domain admin username/password as a service account. Second you are correct, in regards to updating the password on any/all services/scheduled task that have passwords cached. You also might want to make sure that there are no scripts that run that use this username and password.

Changing a Domain Admin password in a well established environment should have no impact. Use service accounts for services and scheduled tasks. Also no one should be logging in with the domain admin account.

You should have something like this for users that need to have domain admin access.

Regular Account
wills

Domain Admin Account
admin-wills

Accounts should be separate IMO so that people don't mistakenly run a command from there regular login and mess things up. If they want to run administrative tasks or login to a server they should be using their admin-name account.

Now not everyone sets it up this way but i find that this is the more secure way of managing accounts.

Will.
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 200 total points
ID: 40545726
That should cover it.

To avoid such things in the future, might as well start now and create service accounts
One for the backup software to use, double check what rights it needs and have the user with those rights.
You might as well use the same backup account for the backup task.
0
 
LVL 3

Assisted Solution

by:roycbene
roycbene earned 200 total points
ID: 40545825
To add to Arnold's solution, service accounts DO NOT have to be Active Directory accounts. In fact, unless you are using them on multiple machines on the domain (i.e. if you are just using them to kick off scheduled tasks or something similar on the one server), then I would create the account on the relevant machine as a local user and give it the rights it needs.

-R
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question