Administrator password change
Hello all. I would like to change our DC and other servers, all Windows Server 2003, administrator account password. I was told that changing the administrator password may cause services that use the administrator account to stop working along with any programs that use the service. While logic tells me that this should not occur, I'm compelled to ask the experts of the possibility that this may actually be true. The DCs are serving typical application services such as AD, Exchange, DNS, SQL and TS. There are third-party applications like BlackBerry, BackupExec, GhostCast, etc. As you may already guessed, I'm not a Windows Server admin but a Unix admin by profession. I've inherited the environment. Any thoughts or suggestion on the matter is greatly appreciated... :) Thanks, Jav
November 18th, 2009 7:50pm
First, DC's do not have local accounts, except the admin password for AD recovery mode. All member servers and workstations joined to the domain do have local Administrator users.
The danger is that any scheduled tasks or services where the username and password are specified will fail if the password is wrong. In both cases, best practice is not to use the Administrator user, but to use an account with the minimum permissions required. For example, the SQL Server service may use a user account, but hopefully not an administrator account.
A search of all scheduled tasks and services would be difficult. Best might be to change the password, then see what fails. If services on the DC use the "Domain Admin" account, that's even worse. If possible it is recommended that things like SQL Server not run on DC's, but it is possible. When it happens I recommend using a normal domainuser account to run the service, with a secure password.
Richard MuellerMVP ADSI
Free Windows Admin Tool Kit Click here and download it now
November 18th, 2009 8:56pm
To do the discovery or where Administrator may beconfigured use the following utilitiesFor Scheduled Tasks useschtasks /S computername /QUERY /V The /V will display verbose information that include the user account the task runs under.Use Services.vbs from microsoft (if you can find it, i forget where i got it from i think NT4 Support Tools, or Resource Kit?). You can modify the script easily enough to include the Service account the service is running under.cscript Service.vbs /L /S ComputernameYou can write simple batch files to take an list of computer names and pass to these utilities to do all the server quickly....then just search the text file for the Administrator account name.This claims to be Sevice.vbs but is is not the full featured script they released in 1999.http://support.microsoft.com/kb/271362This site has it posted.http://www.517sou.net/Labels/%E6%93%8D%E4%BD%9C/Index.aspxModify the script to display the objInstance.StartName value to show the Account the service runs under.
November 18th, 2009 9:33pm
Thanks for your input Richard. As far as I know, the DCs don't have local accounts other than the admin account I used to login into the DCs. And, that is the admin account password that I wanted to change. The admin before me seems to know, from what I was told, what he was doing. If that's the case, I would assume(notreally), that he would have created non-admin accounts with enough privilege to install, configure and start the requiredservices. Given that he is no longer here, I'll have to assume the worst possible case for now. One particular DC runs the SQL Server, BlackBerry and other third-party applications. I guess I'll have to do an admin "ooops" and see what happens. Any other tips or ideas is certainly appreciated. Thanks, Jav
Free Windows Admin Tool Kit Click here and download it now
November 18th, 2009 9:42pm
To do the discovery or where Administrator may beconfigured use the following utilities ...
Thank you Gunner. Your suggestion looks very promising. I'll give it a try and thanks for your reply. Thanks, Jav
November 18th, 2009 9:47pm
I ran the vbs scripts and found that it listed a good number of services. One script, I've redirected the output to a file. The file contains a good number of services, some description, and current state but it doesn't tell me what account is used to run the service. I've run services.msc and it provided me a simillar listing. While it does not show the short name, it does tell me what account(?) used to run it. The following is a sample list. <code> Name Description Status Startup Log On As Backup Exec Server Implements... Started Automatic localhost\\backupexecservice ... MSSQL$BKUPEXEC Started Automatic Local System ... DNS client Resolves... Started Automatic Network Service ... SharePoint Timer Service Sends notifi... Started Automatic NT AUTHORITY\NETWORK SERVICE ... </code> The rest of the services are either disabled or Manual. My questions is, is this a good place to determine whether a service is started by the admin account? Can someone please provide some info on users under the "Log On As" column. Is there an administrator account involved here? I appreciate any input or suggestions. Thanks, Jav
Free Windows Admin Tool Kit Click here and download it now
November 19th, 2009 12:43am
Actually, the output is telling you which accounts are used to run the services, the accounts listed in the column "Log On As". I believe all the accounts listed are all managed by the operating system.
Domain Controllers do not have local accounts, except an administrator account that can only be used for AD recovery mode. No one can logon with a local account, not even Administrator. Everyone must use a domain account when they logon to a DC.Local System is a powerful account that has unrestricted access to all local system resources. The Network Service account is authenticated to network resources as the local computer.Richard MuellerMVP ADSI
November 19th, 2009 2:42am