We just lost a Network Admin due to lay off, and now they want to change the Domain administrator password since he knew the password. Is it just simple that i can go to active directory and change the password and do i have to restart all the server?. Is there anything that i need to look out for when i change the domain admin password.

Thanks,

Thank Jorge for a quick response.

Hi rockets97,

I would suggest to change the domain administrator password by evaluating the services which are dependent on the domain administrator password

For eg You might run few application which are connected to the Directory service using domain admin credentials  and if the application is performing critical task of querying / writing data using the credentials , then you would end up in a trouble.

More technical analysis, remember that when you login in to any operating system your logon account is associated with 2 major components
a) SID
b) Token

The token defines everything for any account , so the server where the administrator is logged in will be using the token ( with current domain credentials) for any communication. So make sure you change the password by making sure that none of the applications are dependent on administrator account.

Sainath brings up a good point.  For anyone that may be running tasks, jobs, and/or services using the domain administrator account, that is really not a good idea.  For these types of system services, a dedicated account should be used to ensure that a change in password does not interfere with the application and as a result, impact services and/or users.

In addition, it is a very good practice to do things such as rename the administrator account & userID, or simply disable it as you will see on typical installations of Windows Vista/7.  It is also a very good idea to monitor the Administrator account for attempts to logon, password changes, etc... so that you can proactive defend against individuals attempting to gain access to this account.  You can simply do this by enabling auditing and either manually monitor the logs or use an application such as Operations Manager to alert you when certain events a

Hi ,

is anyone aware of any tools that are available to find out whhat apps and services are currently using the domain admin account.

 

I'm curious about this too.  is there a tool/app out there that would tell what all is running under the domain admin account?  the last time I changed the domain administrator password, which was YEARS ago, it broke everything...to the point I had to change it back.  Haven't tried it since :)

Inquiring minds want to know.

D

Very interesting question, I have the same requirements (change password) due to admin retirement but I'm worried about the consequences.

I'm looking for a tool that audits administrator activity on all my Windows hosts but it's difficult to achieve a solution.

Now I'm evaluating the Quest Access Manager solution, it has been designed for file/share access monitoring but it also seems valid for service account.

Report about similar experiences are very appreciated, the d.l.t. post alarms me ;-)

Hi Emmanuel,

I apologize for continuing what is obviously a rather old thread, but I wonder if you could help me further.  I followed your instructions to the letter and everything seemed to work fine.  After creating the SQL file (had to change the path to the EVT file as it was different), I ran the LogParser and it was successful.  In the command prompt, I got:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Program Files\Log Parser 2.2>LogParser.exe file:c:\whatever.sql -o:datagrid

Statistics:
-----------
Elements processed: 380502
Elements output:    0
Execution time:     4.49 seconds


C:\Program Files\Log Parser 2.2>

The SQL file I created looks like this:

SELECT

      timegenerated, ComputerName,

      EXTRACT_TOKEN(Strings,1,'|') AS Domain,

      EXTRACT_TOKEN(Strings,0,'|') AS User,

      EXTRACT_TOKEN(Strings,3,'|') AS LogonType,

      EXTRACT_TOKEN(Strings,13,'|') AS SourceNetworkAddress,

      EXTRACT_TOKEN(Strings,14,'|') AS SourcePort,

      EventID

FROM 'C:\WINDOWS\System32\config\SecEvent.Evt'

WHERE EventID=540 AND SID LIKE 'S-1-5-21-1506026005-1441884114-7473742-500'

The questions I have now are...  Did I do this right?  If not, what's wrong?  If so, where is the data I am looking for so I can read it and ascertain what the Administrator account is doing?  Thanks!

Chris

OK, update.  Oops!  Forgot to use my own administrator SID.  Did that and got the Log Parser window listing THOUSANDS of records.  It is showing me "SourceNetworkAddresses" and "SourcePorts", but this doesn't actually tell me what is happening.

Help?!  Thanks!