vcenter 5.1 - services changed to log as service account from domain admin - Still cant change domain admin password

Hi when i do change domain admin password - Vcenter becomes inaccsesibe - invaild login summary

The services were set to a new service account AD account - and sql management studio gave the service account permission to the DB

The services were  started ( log on as new service account - which is local admin as well on the vcenter server) - it has all the act as part of OS and start service rights as well)  -  all access to vcenter was fine - AD integrated. - I could log on to vcenter fine with AD accounts that had access.

Issue is that as soon as I  change the Domain admin password - i get no vcenter access. - invalid login summary? so to get working i have to set the domain admin password back to its previous password - then all is well again  - what hook does the domain admin account have in vcenter -beear in mind it was installed under this domain account originally with the dom admin account the 1 running the services (log on as) + the vcenter sql db account  Help please
LVL 1
philb19Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
When you installed vCenter Server did you use your Domain Admin user account and password ?

this would be the reason.
philb19Author Commented:
Hi Yes I did - Is there something I can do to resolve? thanks
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Create a new Service Account in AD especially for vCenter Server. We do this for all services.
-
e.g. call the account service_vcenter_server, create a complex password, cut and paste it, and record in your secret book, put in the safe.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

philb19Author Commented:
Sorry I may not have explained - I did just what you have stated - a new account and the services are running as the new account. all is well with this   - but still i cant change the domain admin account as soon as i do  I break access to vcenter  error ivalid login summary
philb19Author Commented:
change domain admin account password in ad i mean - thats when vcenter access no longer works
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
So, vCenter Server service is running on the new account ?

it's not running as this domain admin ?
philb19Author Commented:
Yes spot on correct
gheistCommented:
Yes, it is possible to deny password change to AD account, and that is done to your vcenter admin account.
philb19Author Commented:
Hi thanks how do I check. This. And resolve.
gheistCommented:
Resove what? Your AD admin made permanent password for service account. ditto.
philb19Author Commented:
?? Dont know what your talking about. (misunderstanding)- The domain admin account I can change no problem. I can log on  to computers/servers as the domain admin with the new password. - Problem is once the password of the dom admin is changed I cant log on to vcenter with ANY account. - error invalid login summary. This is despite having the vcenter services running as a newly created service account AND giving this account access over the vcenter database. All is fine with Vcenter login with this new service account UNTIL  I change the domain admin account then i cant log on with any account to vcenter (ONLY)  Any ideas?
philb19Author Commented:
vcenter was installed as the dom admin originally and was the account the vcenter  services was originally running as  - we are attempting to replace this runas account with the new service account - which we appear to succeed with  yet we cant subsequently  change the dom admin password without losing vcenter access - there is some hook or remnant of dom admin still in vcenter somewhere?
gheistCommented:
Yes, you are complaining about windows issues, it has nothing to do with vcenter.
http://www.vistax64.com/tutorials/167735-password-prevent-allow-change.html
philb19Author Commented:
WHAT?? Sorry are you having me on?    I reset the password its fine it works!!! I logon to windows ANY SERVER or PC with the domain admin with the new password   no problwm

The only problem is it  stops any logon working to log on to vcenter client.-   Ar ok maybe you think i mean the windows logon to the vcenter server - no

The vcenter client stops working
philb19Author Commented:
Found something that talks of registry entry for the vpxduser account in registry:  we run 5.1 not 5.0 as is this article any comments?

http://www.vnoob.com/2012/09/changing-vcenters-db-user-and-password/

One problem is my user is listed but on in db key but in attached key - see file - does  this



Secondly we need to change the username vCenter uses. Most would probably think that there is some sort of Configuration Utility that we could simply run that would make the change. Wrong! We have to jump in to the registry to change it. So using “regedit”, navigate to “HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VirtualCenter\DB” if you are using vCenter 5.
 


Now we change entry 2 to reflect what our new user should be.
 
Awesome! Great! We’re done right? Wrong!
 
Next we need to change the password. Again, since we just changed the username in the registry, one might think the password is also changed there. Nope, sorry. For this we need to use an ELEVATED CMD prompt navigate to the folder that contains our vCenter install. If my capitalization was not an ample hint, it must be an elevated command prompt.
 
The default install location for vcenter is C:\Program Files\VMware\Infrastructure\VirtualCenter Server\, and the command we need to run is “vpxd -p”. If you install location is different, obviously use yours



This command will ask you for the DB password. After you supply it, it will then put your password into the registry under the username you changed earlier, although it will be hashed and probably salted.
 
Now, at this point, if your last user and your new user were both Active Directory/Windows users, you should hopefully be able to start the vCenter service and everything will work again! However, if you are changing sql authentication users in any way (i.e. you last user was a sql auth user, or your new one is, or both) you need to modify your DSN for vCenter.
 
You can change the DSN by launching ODBC, located in Start-Administrative Tools- Data Source (ODBC). On the System DSN tab you shoud be able to find your vCenter DSN listed that you can modify.
 
When modifying you should be able to just change the info on the second page.
Capture.JPG
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
why not just re-install vCenter Server, using the correct username and password for the service account.

This will not affect running VMs.
philb19Author Commented:
OK then I solved myself.  The resolution is around the fact that you need to login to the web client as the SSO login admin@System-Domain. It is imperitve that you DONT lose this username and password. - One you are logged in as admin to web client you will then see the options to change the sso Configuration. In there will be the account used to install the product and use for AD SSO - once we changed this to be the new service account - all was fine no lockouts we could change the domain admin account that was used to install vcenter.  I have to say its very odd no'one could assist me with this - it seems to be a common thread where people have lost the sso login password - i did also but i found it be channce :) - if you cant find then you have to use  a sql query change to modify the sha256 encrypted password in the sql db

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.