We just lost a Network Admin due to lay off, and now they want to change the Domain administrator password since he knew the password. Is it just simple that i can go to active directory and change the password and do i have to restart all the server?. Is there anything that i need to look out for when i change the domain admin password.

Thanks,

To change the domain administrator password, another user account that is in the member of the Built in Administrator's group or Domain Administrator's group will have to change the password. 

You can change the password using the Active Directory Users and Computers Console, locate the Administrator account, click on properties, and reset the password.

You dont have to restart any servers o

Hi rockets97,

I would suggest to change the domain administrator password by evaluating the services which are dependent on the domain administrator password

For eg You might run few application which are connected to the Directory service using domain admin credentials  and if the application is performing critical task of querying / writing data using the credentials , then you would end up in a trouble.

More technical analysis, remember that when you login in to any operating system your logon account is associated with 2 major components
a) SID
b) Token

The token defines everything for any account , so the server where the administrator is logged in will be using the token ( with current domain credentials) for any communication. So make sure you change the password by making sure that none of the applications are dependent on administrator account.

Hi ,

is anyone aware of any tools that are available to find out whhat apps and services are currently using the domain admin account.

 

Stumbled on your question: where is the Active Directory Domain Administrator account used?

Make sure you have auditing on for success logon.

Leverage LogParser from Microsoft.

create a file named whatever.sql containing the query below:

SELECT

      timegenerated, ComputerName,

      EXTRACT_TOKEN(Strings,1,'|') AS Domain,

      EXTRACT_TOKEN(Strings,0,'|') AS User,

      EXTRACT_TOKEN(Strings,3,'|') AS LogonType,

      EXTRACT_TOKEN(Strings,13,'|') AS SourceNetworkAddress,

      EXTRACT_TOKEN(Strings,14,'|') AS SourcePort,

      EventID

FROM 'C:\temp\security-event-log.evt'

WHERE EventID=540 AND SID LIKE 'S-1-5-21-1506026005-1441884114-7473742-500'

Run the following:

C:\Program Files\Log Parser 2.2>LogParser.exe file:whatever.sql -o:datagrid

That will list all the events where the "Administrator" account were used for authentication.

References:

http://www.stevebunting.org/udpd4n6/forensics/logparser.htm

http://www.windowsitpro.com/content1/topic/logparser/catpath/monitoring-and-analysis/page/2

 

Downloads:

Download Log Parser 2.2

Rgds

Emmanuel

OK, update.  Oops!  Forgot to use my own administrator SID.  Did that and got the Log Parser window listing THOUSANDS of records.  It is showing me "SourceNetworkAddresses" and "SourcePorts", but this doesn't actually tell me what is happening.

Help?!  Thanks!