Thanks,
I would suggest to change the domain administrator password by evaluating the services which are dependent on the domain administrator password
For eg You might run few application which are connected to the Directory service using domain admin credentials and if the application is performing critical task of querying / writing data using the credentials , then you would end up in a trouble.
More technical analysis, remember that when you login in to any operating system your logon account is associated with 2 major components
a) SID
b) Token
The token defines everything for any account , so the server where the administrator is logged in will be using the token ( with current domain credentials) for any communication. So make sure you change the password by making sure that none of the applications are dependent on administrator account.
In addition, it is a very good practice to do things such as rename the administrator account & userID, or simply disable it as you will see on typical installations of Windows Vista/7. It is also a very good idea to monitor the Administrator account for attempts to logon, password changes, etc... so that you can proactive defend against individuals attempting to gain access to this account. You can simply do this by enabling auditing and either manually monitor the logs or use an application such as Operations Manager to alert you when certain events a
Hi ,
is anyone aware of any tools that are available to find out whhat apps and services are currently using the domain admin account.
I'm curious about this too. is there a tool/app out there that would tell what all is running under the domain admin account? the last time I changed the domain administrator password, which was YEARS ago, it broke everything...to the point I had to change it back. Haven't tried it since :)
Inquiring minds want to know.
D
Very interesting question, I have the same requirements (change password) due to admin retirement but I'm worried about the consequences.
I'm looking for a tool that audits administrator activity on all my Windows hosts but it's difficult to achieve a solution.
Now I'm evaluating the Quest Access Manager solution, it has been designed for file/share access monitoring but it also seems valid for service account.
Report about similar experiences are very appreciated, the d.l.t. post alarms me ;-)
Hi Emmanuel,
I apologize for continuing what is obviously a rather old thread, but I wonder if you could help me further. I followed your instructions to the letter and everything seemed to work fine. After creating the SQL file (had to change the path to the EVT file as it was different), I ran the LogParser and it was successful. In the command prompt, I got:
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Program Files\Log Parser 2.2>LogParser.exe file:c:\whatever.sql -o:datagrid
Statistics:
-----------
Elements processed: 380502
Elements output: 0
Execution time: 4.49 seconds
C:\Program Files\Log Parser 2.2>
The SQL file I created looks like this:
SELECT
timegenerated, ComputerName,
EXTRACT_TOKEN(Strings,1,'|') AS Domain,
EXTRACT_TOKEN(Strings,0,'|') AS User,
EXTRACT_TOKEN(Strings,3,'|') AS LogonType,
EXTRACT_TOKEN(Strings,13,'|') AS SourceNetworkAddress,
EXTRACT_TOKEN(Strings,14,'|') AS SourcePort,
EventID
FROM 'C:\WINDOWS\System32\config\SecEvent.Evt'
WHERE EventID=540 AND SID LIKE 'S-1-5-21-1506026005-1441884114-7473742-500'
The questions I have now are... Did I do this right? If not, what's wrong? If so, where is the data I am looking for so I can read it and ascertain what the Administrator account is doing? Thanks!
Chris
OK, update. Oops! Forgot to use my own administrator SID. Did that and got the Log Parser window listing THOUSANDS of records. It is showing me "SourceNetworkAddresses" and "SourcePorts", but this doesn't actually tell me what is happening.
Help?! Thanks!