Changing Admin Password

[tls9923]

I have a user that is moving in the company that does not need to know the Admin password any more. What kind of problems will I create with Exchange if I change the Admin password? I know with 5.5 it was a problem unless you installed with a different userID. I did not install exchange on this system so I do not know what user they used for the install.

Thanks

 

[Andreh]

Ideally, the best way to deal with this type of problem (people leave or asked to leave with high level of privilege) is by creating 2 separate accounts. They should both have admin rights, the first is for day to day admin work but the second is used solely as a service account to run the applications (like exchange). Having 2 separate allows for the easy change of password when an employee leaves. It also allows for regular password change which, is a good security practice.

One thing you will really have to make sure of is "which services on the Exchange box (and any other box on your network) are using this Admin account to run?" Make sure when you change the admin password you then re-authenticate these services also. If you don't, error on startup will occur.

I had this scenario of a password change around 6 months ago on a NT4.0 /Exchange 5.5 domain. Now i have to 2 accounts described above on my Windows/Exchange 2k domain in anticipation of this problem.
Goodluck.

 

[gkes]

Exchange 2000 runs under the localsystem security context for this every reason. This supposedly means that admin account password changes don't affect the system - although there are more things than just exchange services that can use a stored password... see 5.5 procedure below for how to handle these in general.

For 5.5, simple process is as such:
1) determine the new password.
2) identify all services running under the admin account in question. Also ensure that no scheduled tasks, stored scripts, event sinks, or COM components are using it.
3) temporarily turn OFF account locking.
4) change all stored passwords on all services/tasks. I recommend cut-and-paste here ;-)
5) change the password, and WAIT FOR REPLICATION if there is any. This can get sticky - force it if you have to.
6) once the server has replicated changes, restart all affected servers/services/tasks.
7) turn acct locking back on after you're comfortable that everything's working, and keep an eye on the admin account. If the acct gets locked out immediately or periodically, you missed something.

Because of the inherent problems posed by replication, I strongly recommend that you plan to use not just a separate service account, but a separate service account PER SITE (and per app) for all services/tasks/COM components, etc. Just my 2 cents.

 

[DarkHat]

But on my side I have a similar problem....
To take a backup of my exchange 2000 with Veritas NetBackup, It says... change Exchange services to start with a domain admin account....
But when I change the services to start with another user they don't want to restart.
How can I change the "log on as" to start with another account then localsystem....