Link to home
Start Free TrialLog in
Avatar of cgeorgeisaac
cgeorgeisaacFlag for United States of America

asked on

How to reset the primary Domain Admin Password in Windows 2019?

1. Due to security concerns, I have been advised to reset the primary Domain Admin password (not  domain users account) in the Windows 2019 eg. administrator@Domain.com.  I used to use this for all configurations even SQL configurations,  DFS-N configurations, exchange, virtual directories etc. for our main Prod domain.
My question is how easy or how difficult is it to reset this primary Domain Admin password.  I am really not sure what will be the implications as I have never done this.    Is there a way to find out?  Also, what are the steps to follow to accomplish this task.  

2. Is using Service account better going forward?

Many thanks experts. 
ASKER CERTIFIED SOLUTION
Avatar of Hypercat (Deb)
Hypercat (Deb)
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Changing the password will be straightforward enough. Updating the affected user accounts will be the difficult part if its usage is not clearly documented. Ideally everything should not be using the primary domain user account.

My recommendation would be:
  1. Document the different products in your environment and the minimum acceptable privilege they need as per their documentation (domain admin, local admin, service account).
  2. Create a secondary domain admin account
  3. Reset the primary domain admin password as soon as possible while you know that you can manage the downtime
  4. If you have a tight downtime simply update the password on all of your products and proceed to step 5 as soon as is possible
  5. Create and deploy service accounts/local admin/domain admin accounts to all of your products
In the future do not use the primary domain admin on any product within your network. This should only be for administering the domain itself.
Other than minimum acceptable privileges, when a domain admin account is needed then:
- The entire system is perceived to be less vulnerable if the account called Administrator is changed so it isn't so easy to find.
- It may have its password changed
- It may have its name changed
- But, if it's kept then it's UID remains.
- Other domain admin account(s) must be created to meet the need.
- The idea is that this/these account(s) will be harder to find and hack.
Is that about it?
Avatar of cgeorgeisaac

ASKER

Many thanks Hypercat (Deb), Tuxx and hypercube.  
Fantastic and to the point.    I will be looking deeply into each of the suggestion  and discuss with my team members.
Much appreciated.  
in the context of the AD the password you need to change beside the administrators, might be the DC recovery?
you can use ntdsutil to set a new domain controller recovery related password.

Audit the accounts to make sure you do not have a daisy chained account member of netsted groups.
Audit GPOs to make sure non have restricted groups that add an account to an administrative group...

Scope and scale of concern.
Appreciate your advise arnold.  Many thanks.