philb19
asked on
vcenter 5.1 - services changed to log as service account from domain admin - Still cant change domain admin password
Hi when i do change domain admin password - Vcenter becomes inaccsesibe - invaild login summary
The services were set to a new service account AD account - and sql management studio gave the service account permission to the DB
The services were started ( log on as new service account - which is local admin as well on the vcenter server) - it has all the act as part of OS and start service rights as well) - all access to vcenter was fine - AD integrated. - I could log on to vcenter fine with AD accounts that had access.
Issue is that as soon as I change the Domain admin password - i get no vcenter access. - invalid login summary? so to get working i have to set the domain admin password back to its previous password - then all is well again - what hook does the domain admin account have in vcenter -beear in mind it was installed under this domain account originally with the dom admin account the 1 running the services (log on as) + the vcenter sql db account Help please
The services were set to a new service account AD account - and sql management studio gave the service account permission to the DB
The services were started ( log on as new service account - which is local admin as well on the vcenter server) - it has all the act as part of OS and start service rights as well) - all access to vcenter was fine - AD integrated. - I could log on to vcenter fine with AD accounts that had access.
Issue is that as soon as I change the Domain admin password - i get no vcenter access. - invalid login summary? so to get working i have to set the domain admin password back to its previous password - then all is well again - what hook does the domain admin account have in vcenter -beear in mind it was installed under this domain account originally with the dom admin account the 1 running the services (log on as) + the vcenter sql db account Help please
ASKER
Hi Yes I did - Is there something I can do to resolve? thanks
Create a new Service Account in AD especially for vCenter Server. We do this for all services.
-
e.g. call the account service_vcenter_server, create a complex password, cut and paste it, and record in your secret book, put in the safe.
-
e.g. call the account service_vcenter_server, create a complex password, cut and paste it, and record in your secret book, put in the safe.
ASKER
Sorry I may not have explained - I did just what you have stated - a new account and the services are running as the new account. all is well with this - but still i cant change the domain admin account as soon as i do I break access to vcenter error ivalid login summary
ASKER
change domain admin account password in ad i mean - thats when vcenter access no longer works
So, vCenter Server service is running on the new account ?
it's not running as this domain admin ?
it's not running as this domain admin ?
ASKER
Yes spot on correct
Yes, it is possible to deny password change to AD account, and that is done to your vcenter admin account.
ASKER
Hi thanks how do I check. This. And resolve.
Resove what? Your AD admin made permanent password for service account. ditto.
ASKER
?? Dont know what your talking about. (misunderstanding)- The domain admin account I can change no problem. I can log on to computers/servers as the domain admin with the new password. - Problem is once the password of the dom admin is changed I cant log on to vcenter with ANY account. - error invalid login summary. This is despite having the vcenter services running as a newly created service account AND giving this account access over the vcenter database. All is fine with Vcenter login with this new service account UNTIL I change the domain admin account then i cant log on with any account to vcenter (ONLY) Any ideas?
ASKER
vcenter was installed as the dom admin originally and was the account the vcenter services was originally running as - we are attempting to replace this runas account with the new service account - which we appear to succeed with yet we cant subsequently change the dom admin password without losing vcenter access - there is some hook or remnant of dom admin still in vcenter somewhere?
Yes, you are complaining about windows issues, it has nothing to do with vcenter.
http://www.vistax64.com/tutorials/167735-password-prevent-allow-change.html
http://www.vistax64.com/tutorials/167735-password-prevent-allow-change.html
ASKER
WHAT?? Sorry are you having me on? I reset the password its fine it works!!! I logon to windows ANY SERVER or PC with the domain admin with the new password no problwm
The only problem is it stops any logon working to log on to vcenter client.- Ar ok maybe you think i mean the windows logon to the vcenter server - no
The vcenter client stops working
The only problem is it stops any logon working to log on to vcenter client.- Ar ok maybe you think i mean the windows logon to the vcenter server - no
The vcenter client stops working
ASKER
Found something that talks of registry entry for the vpxduser account in registry: we run 5.1 not 5.0 as is this article any comments?
http://www.vnoob.com/2012/09/changing-vcenters-db-user-and-password/
One problem is my user is listed but on in db key but in attached key - see file - does this
Secondly we need to change the username vCenter uses. Most would probably think that there is some sort of Configuration Utility that we could simply run that would make the change. Wrong! We have to jump in to the registry to change it. So using “regedit”, navigate to “HKEY_LOCAL_MACHINE\SOFTWA
Now we change entry 2 to reflect what our new user should be.
Awesome! Great! We’re done right? Wrong!
Next we need to change the password. Again, since we just changed the username in the registry, one might think the password is also changed there. Nope, sorry. For this we need to use an ELEVATED CMD prompt navigate to the folder that contains our vCenter install. If my capitalization was not an ample hint, it must be an elevated command prompt.
The default install location for vcenter is C:\Program Files\VMware\Infrastructur
This command will ask you for the DB password. After you supply it, it will then put your password into the registry under the username you changed earlier, although it will be hashed and probably salted.
Now, at this point, if your last user and your new user were both Active Directory/Windows users, you should hopefully be able to start the vCenter service and everything will work again! However, if you are changing sql authentication users in any way (i.e. you last user was a sql auth user, or your new one is, or both) you need to modify your DSN for vCenter.
You can change the DSN by launching ODBC, located in Start-Administrative Tools- Data Source (ODBC). On the System DSN tab you shoud be able to find your vCenter DSN listed that you can modify.
When modifying you should be able to just change the info on the second page.
Capture.JPG
http://www.vnoob.com/2012/09/changing-vcenters-db-user-and-password/
One problem is my user is listed but on in db key but in attached key - see file - does this
Secondly we need to change the username vCenter uses. Most would probably think that there is some sort of Configuration Utility that we could simply run that would make the change. Wrong! We have to jump in to the registry to change it. So using “regedit”, navigate to “HKEY_LOCAL_MACHINE\SOFTWA
Now we change entry 2 to reflect what our new user should be.
Awesome! Great! We’re done right? Wrong!
Next we need to change the password. Again, since we just changed the username in the registry, one might think the password is also changed there. Nope, sorry. For this we need to use an ELEVATED CMD prompt navigate to the folder that contains our vCenter install. If my capitalization was not an ample hint, it must be an elevated command prompt.
The default install location for vcenter is C:\Program Files\VMware\Infrastructur
This command will ask you for the DB password. After you supply it, it will then put your password into the registry under the username you changed earlier, although it will be hashed and probably salted.
Now, at this point, if your last user and your new user were both Active Directory/Windows users, you should hopefully be able to start the vCenter service and everything will work again! However, if you are changing sql authentication users in any way (i.e. you last user was a sql auth user, or your new one is, or both) you need to modify your DSN for vCenter.
You can change the DSN by launching ODBC, located in Start-Administrative Tools- Data Source (ODBC). On the System DSN tab you shoud be able to find your vCenter DSN listed that you can modify.
When modifying you should be able to just change the info on the second page.
Capture.JPG
why not just re-install vCenter Server, using the correct username and password for the service account.
This will not affect running VMs.
This will not affect running VMs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
this would be the reason.