Thanks,
You can change the password using the Active Directory Users and Computers Console, locate the Administrator account, click on properties, and reset the password.
You dont have to restart any servers o
I would suggest to change the domain administrator password by evaluating the services which are dependent on the domain administrator password
For eg You might run few application which are connected to the Directory service using domain admin credentials and if the application is performing critical task of querying / writing data using the credentials , then you would end up in a trouble.
More technical analysis, remember that when you login in to any operating system your logon account is associated with 2 major components
a) SID
b) Token
The token defines everything for any account , so the server where the administrator is logged in will be using the token ( with current domain credentials) for any communication. So make sure you change the password by making sure that none of the applications are dependent on administrator account.
Hi ,
is anyone aware of any tools that are available to find out whhat apps and services are currently using the domain admin account.
Stumbled on your question: where is the Active Directory Domain Administrator account used?
Make sure you have auditing on for success logon.
Leverage LogParser from Microsoft.
create a file named whatever.sql containing the query below:
SELECT
timegenerated, ComputerName,
EXTRACT_TOKEN(Strings,1,'|') AS Domain,
EXTRACT_TOKEN(Strings,0,'|') AS User,
EXTRACT_TOKEN(Strings,3,'|') AS LogonType,
EXTRACT_TOKEN(Strings,13,'|') AS SourceNetworkAddress,
EXTRACT_TOKEN(Strings,14,'|') AS SourcePort,
EventID
FROM 'C:\temp\security-event-log.evt'
WHERE EventID=540 AND SID LIKE 'S-1-5-21-1506026005-1441884114-7473742-500'
Run the following:
C:\Program Files\Log Parser 2.2>LogParser.exe file:whatever.sql -o:datagrid
That will list all the events where the "Administrator" account were used for authentication.
References:
http://www.stevebunting.org/udpd4n6/forensics/logparser.htm
http://www.windowsitpro.com/content1/topic/logparser/catpath/monitoring-and-analysis/page/2
Downloads:
Rgds
Emmanuel
OK, update. Oops! Forgot to use my own administrator SID. Did that and got the Log Parser window listing THOUSANDS of records. It is showing me "SourceNetworkAddresses" and "SourcePorts", but this doesn't actually tell me what is happening.
Help?! Thanks!