jackbenson
asked on
Changing Administrator Account Password on Domain
Hi,
we recently had a security hack in our network - and I want to tighten up the password policy by using group policy to have a minimum password criterion.
I am a little worried that if I change the administer password I will start to get a lot of issues with programs not running on my server.
is there a good way to Audit what would be affected if the Domain Administrator account gets a new password?
Will it affect things like Exchange Server or Lync Server? in Services these use either a Local System or Network Service Account.
My Backup Exec 15 server using the Domain/Administrator account as the account that runs its services. I assume that I will just need to change the password in Services? Or should I create an account just for Backup Exec Server in AD? If I created an account would it need to be part of the Administrators Group?
thanks for your help
we recently had a security hack in our network - and I want to tighten up the password policy by using group policy to have a minimum password criterion.
I am a little worried that if I change the administer password I will start to get a lot of issues with programs not running on my server.
is there a good way to Audit what would be affected if the Domain Administrator account gets a new password?
Will it affect things like Exchange Server or Lync Server? in Services these use either a Local System or Network Service Account.
My Backup Exec 15 server using the Domain/Administrator account as the account that runs its services. I assume that I will just need to change the password in Services? Or should I create an account just for Backup Exec Server in AD? If I created an account would it need to be part of the Administrators Group?
thanks for your help
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
create User on AD & assign the local admin rights on servers whose backup you want to take
ASKER
would the account need to be a member of Domain Users security group
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
McKnife,
thanks for this.
I have tried the Managed Service Accounts for a few things and it works.
I guess there is no easy way to audit where the Administrator account is being used? I will have to go through each of my servers 1 by 1 and create the Managed Service Accounts as necessary?
Many Thanks!
jack
thanks for this.
I have tried the Managed Service Accounts for a few things and it works.
I guess there is no easy way to audit where the Administrator account is being used? I will have to go through each of my servers 1 by 1 and create the Managed Service Accounts as necessary?
Many Thanks!
jack
Quite easy is to use a tool that scans servers from remote and finds out what services and what tasks use such domain admins accounts: http://www.cjwdev.com/Software/ServiceCredMan/Info.html (free)
ASKER
thanks.. very useful!
I am having an issue with Scheduled Tasks.
When I try to set them to the MSA it says it cannot find the account.
is this normal?
thanks
jack
I am having an issue with Scheduled Tasks.
When I try to set them to the MSA it says it cannot find the account.
is this normal?
thanks
jack
http://blog.simonw.se/using_standalone_managed_service_accounts_for_scheduled_tasks/ has an explanation and solution.
ASKER
thanks - I did see this.
on the DC I create the MSA as follows:
New-ADServiceAccount -Name MSA -Enable $true -DNSHostName MSA.DomainName.local
Set-ADServiceAccount -Identity MSA -PrincipalsAllowedToRetrie veManagedP assword Server1$,Server2$,Server3$
so I have not been using the Add-ADComputerServiceAccou nt command line - could this be the problem.
I have been able to use the cmd code: schtasks /Change /TN ScheduledTaskName /RU "domainMyRunAsAcount$" /RP ""
BUT when I edit the service and try to save it - it will not let me save it as it says the account is not recognised
thanks again
on the DC I create the MSA as follows:
New-ADServiceAccount -Name MSA -Enable $true -DNSHostName MSA.DomainName.local
Set-ADServiceAccount -Identity MSA -PrincipalsAllowedToRetrie
so I have not been using the Add-ADComputerServiceAccou
I have been able to use the cmd code: schtasks /Change /TN ScheduledTaskName /RU "domainMyRunAsAcount$" /RP ""
BUT when I edit the service and try to save it - it will not let me save it as it says the account is not recognised
thanks again
The article says: "In Windows Server 2012, these accounts can also be used as RunAs account on scheduled tasks but it can’t be configured in GUI." Only that is the problem, the GUI was not designed with that account type in mind, while powershell can work with it and so can schtasks.exe.
ASKER
thank-you. working though and using MSA accounts where-ever possible
ASKER
So for backup exec will I create a local user or will I use MachineName\Administrator account?