Link to home
Create AccountLog in
Avatar of jackbenson
jackbensonFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Changing Administrator Account Password on Domain

Hi,

we recently had a security hack in our network - and I want to tighten up the password policy by using group policy to have a minimum password criterion.

I am a little worried that if I change the administer password I will start to get a lot of issues with programs not running on my server.

is there a good way to Audit what would be affected if the Domain Administrator account gets a new password?

Will it affect things like Exchange Server or Lync Server? in Services these use either a Local System or Network Service Account.

My Backup Exec 15 server using the Domain/Administrator account as the account that runs its services. I assume that I will just need to change the password in Services? Or should I create an account just for Backup Exec Server in AD? If I created an account would it need to be part of the Administrators Group?

thanks for your help
SOLUTION
Avatar of Muzafar Momin
Muzafar Momin
Flag of India image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of jackbenson

ASKER

Thanks for your reply.

So for backup exec will I create a local user or will I use MachineName\Administrator account?
create User on AD & assign the local admin rights on servers whose backup you want to take
would the account need to be a member of Domain Users security group
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
McKnife,

thanks for this.

I have tried the Managed Service Accounts for a few things and it works.

I guess there is no easy way to audit where the Administrator account is being used? I will have to go through each of my servers 1 by 1 and create the Managed Service Accounts as necessary?

Many Thanks!

jack
Quite easy is to use a tool that scans servers from remote and finds out what services and what tasks use such domain admins accounts: http://www.cjwdev.com/Software/ServiceCredMan/Info.html (free)
thanks.. very useful!

I am having an issue with Scheduled Tasks.

When I try to set them to the MSA it says it cannot find the account.

is this normal?

thanks

jack
thanks - I did see this.

on the DC I create the MSA as follows:

New-ADServiceAccount -Name MSA -Enable $true -DNSHostName MSA.DomainName.local

Set-ADServiceAccount -Identity MSA -PrincipalsAllowedToRetrieveManagedPassword Server1$,Server2$,Server3$

so I have not been using the Add-ADComputerServiceAccount  command line - could this be the problem.

I have been able to use the cmd code: schtasks /Change /TN ScheduledTaskName /RU "domainMyRunAsAcount$" /RP ""

BUT when I edit the service and try to save it - it will not let me save it as it says the account is not recognised


thanks again
The article says: "In Windows Server 2012, these accounts can also be used as RunAs account on scheduled tasks but it can’t be configured in GUI." Only that is the problem, the GUI was not designed with that account type in mind, while powershell can work with it and so can schtasks.exe.
thank-you. working though and using MSA accounts where-ever possible