Administrator Password change 1

[bigkeith]

Hi all,
This sounded simple, till someone decided to sew the seeds of doubt. Our domain administrator account password hasn't been changed since I joined the company, 2 years ago! obviously I need to address this. As we use the administrator account on all 12 of our servers someone has suggested that when I change the password all these servers will lose connection to the domain until they are logged in again with the new password. Not a great idea, as most are critical servers. Am I being over cautious, or will changing the password have no effect to a server that's already logged on, other than changing any services that use the admin account for when we re-boot.

Many thanks.

Keith

 

[itsp1965]

The domain administrator's password has nothing to do with machines authenticating to the domain (as far as I know). It's the domain computer account password that must be in synch.
No services should be using the domain administrator account in order to run in the first place
The only affect here is that the domain administrator will need to logout/login again in order to perform any administrative tasks on servers (which the account should not be used anyway).
Awhile back I created a group policy to rename the administrator account which included the domain administrator (didn't know it would do that) and it did not affect the domain. If there is concern you can always test to be sure though. Hope this helps.

 

[bigkeith]

Thanks itsp1965 for the response. I might be confusing things, what I meant was the Administrator account on the domain, not the local administrator account. All our servers log in using this same account. I'm sure everyone must use this account, and change the password fairly regularly.

Thanks

Keith

 

[Davetoo]

Keith,

You're ok...change the password on one DC being sure the admin isn't logged into any of the servers. Then login to each server and make the appropriate changes for any services that use the admin account.

It won't stop the servers from working on the domain.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
The poster formerly known as lander215

 

[itsp1965]

Keith ideally you should not be using the domain administrator account. Since the Domain Administrators global group has administrative rights to member servers by default (unless you have changed your security), you can put your admins in this group and leave the domain administrator account alone). Forcing your admins to use their own accounts will help you in auditing changes on your domain. My 2 cents.

Regards

Terry

 

[monsterjta]

fI didn't read other replies, so this may be redundant...

When you change the domain admin password, everything will continue to work as usual. The next time you logon to a server, simply use the new password. Machines will NOT stop communicating on the network.

However, if you have ANY service accounts running under domain admin cred's, the next time your restart the service or reeboot the server you are going to have issues. Logon cred's will need to be changed on ALL services using domain admin to logon. Scheduled Tasks will cease to execute if using domain admin cred's.

Create service account for EACH service that need a particular domain/local logon account, as well as for each Task you may have scheduled. These should be very strong passwords (at least 128bit), and do not need to be changed very often due to the strength of the password.

To wrap this up, I would suggest a quarterly password rotation for the domain/local admin accounts. Possibly a bi-anuall rotation for the services accounts.

Hope This Helps,

Good Luck!

 

[monsterjta]

BTW - I agree with itsp1965

Forcing your admins to use their own accounts will help you in auditing changes on your domain

Everyone should have their own account and be added to appropriate groups. I've had major issues with previous organizations who did not practice this with their admins. Things would get all f'd up for some reason, but nobody was held accountable because we were all used Administrator. Who done it? I don't know...wasn't me. Now your stuck with an incompetent bozo using the same account to logon as you are!

Hope This Helps,

Good Luck!

 

[bigkeith]

Thank you all for you input on this one, I've already decided to create a new account for our servers to log into and introduce regular password changes. Though nobody other than servers logs on using the administrator account, I think it would be best practice.

Regards

Keith

 

[AndrewTait]

Thank you all for you input on this one, I've already decided to create a new account for our servers to log into and introduce regular password changes. Though nobody other than servers logs on using the administrator account, I think it would be best practice.

I would also consider implementing 2 accounts for your admins, one for day to day use, one for admin use. For example, if you had an admin called fred blogs, have a fbloggs account for him to do his normal reading and sending e-mails, web browsing, documentation production etc. Additionally, he would also have an adm-fbloggs account for doing admin work on the servers etc.

This way, anything nasty that comes via web browsing, or e-mail, any accidental things cannot cause too much problems, as he would have to deliberatly log in as admin.



=======================================
So often times it happens that we live our lives in chains
And we never even know we have the key

Ne auderis delere orbem rigidum meum
======================================