How to change Domain Admin password? 5

[Gardener1]

Have any of you out there changed the domain admin password? My boss has asked to prepare to change the domain admin password.

What is the procedure?

What should I look out for?

Do you have any suggestions or comments?

Does anyone know of any good websites that pertain to this?

Thanks in advance,

 

[SimonDavies]

Are you serious?

OK.

Open up Active Directory Users and Computers.

Browse to the Users container.

Right click on Administrator.

Choose Reset Password.

Enter your new password.

Click OK.



Now to the pit falls. If you have used the Administrator account to start any services those services will obviously fail to start because of the changed password. Those same services will also fail sometime after changing the password because the Kerberos token won't be able to verify the password so strange things will start happening.


As for the rest of your post, if I were you I would perhaps start looking into a basic Windows administration course, this really isn't rocket science and I would honestly expect any person working on my network to be able to carry out the basics. Especially someone charged with having access to Domain Admin functionality (after all if you don't know how to change a password what else could you get upto by mistake?).


Simon

The real world is not about exam scores, it's about ability.

 

[Gardener1]

Simon, obviously you have never done this before, because you are asking me to change the admin password before finding all the services the admin account is tie to.

Your pose should have been to first check all the services first then change the password

I know how to change the admin password it's all the fall out I am looking to avoid. thank you I will check the services do you have any other pit falls that might happen when I change the password?

 

[58sniper]

Then perhaps next time you'll properly define your question so that others don't misunderstand.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[Gardener1]

I sorry I thought others had enough experience to know what I was asking for, however, I will be more specific on my next post.

thank you,

 

[SimonDavies]

If your AD is configured correctly then changing the Admin password shouldn't cause you any headaches, if however you haven't made service accounts then of course you're looking at potential issues because of that.

You have to understand that I can only answer a question as it's asked, your question didn't go into more depth, in the future hopefully you will help by asking more indepth questions rather than what initially appear to be quite straight forwards ones.

Only you really have any idea how your AD is configured, do you run with dedicated service accounts? Is your Admin account tied into other applications at all (AV Updates, Web Proxy, Exchange, SQL etc). You need to check every potential service and application to see what it's tied to.

Simon

The real world is not about exam scores, it's about ability.

 

[Roadki11]

Couple other things to check are scheduled tasks configured to run with the admin account. Also backup exec password would have to be changed in the interface if you let it use the admin account when it was installed, if your using backup exec that is.

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[acl03]

Don't forget about VMWare server. Those VM's usually run as a specific user (maybe domain admin).


Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!

 

[Gardener1]

I am creating another account that has the same right as the administrator account. I will change all the services to the new account then disable the administrator account and see what the fallout will be.

Do any of you out there see any problem with this.

Thanks,

 

[acl03]

Do not disable your administrator account. Just change the password when you're sure nothing is still using it.

Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!

 

[Gardener1]

but if I change the password the things that I am not sure of will not work any longer, and I hoped by creating a new account I can always re-enable the admin account, what do you think. but if I change the password on the admin account it will be to late all the things that stop working will stay that way until we fix them, the way I am doing it we can make note of what is broke then re-enable the admin account until we fix the problems.

 

[victorv]

hi,

I try to give my contribute to this post,

*) about services and tasks, always you have to run these
with special administrators, as ClusterSrvcAdmin, without expire time on password and no change possibility:
ones that never do an interactive login at computers and Servers (except for test).

Consider the situation: you (domain admin) login at a client PC for maintenance, do your things, logout, leave the chair. After, user sits, presses Ctrl-Alt-Del, ...
what does he normally ? Enters password: wrong. What does he,thinking having badly typed? takes more attention, spells characters and press enter: wrong. the story continues...

he does not look that Windows continued to propose "Administrator" as username:
your domain admin account will be disabled,
and its Services and Tasks will fail.

*) another trick is, from begin, to rename Administrator:
in this way, the SID remain original, and all registry keys created on setup, are still valid. A virus or an hacker, knows "Administrator", no its SID, neither "Joe", new admin name.

bye
vic

 

[Gardener1]

victorv

Very good point. because of this new info I am now going to create an OU and put the new admin account in the the OU and then change the GPO lock out for 20 attempts. what do you think?

The reason I want to have the admin account availible is if things go wrong I will always able to re-enable that account until a problems are fix.

The goal here is to change the password every 3 months for new account we are using for our admin log-on.

 

[strongm]

1) Administrator account does not get disabled from multiple logins
2) Implementing decent security policies should mean that username is not already entered in login dialog

>A virus or an hacker, knows "Administrator", no its SID,

Actually, no. The Administrator (both local and domain) SID is a well known SID, so a decent viruses and hackers can pretty easily determine the built-in Admin accounts (and Admin groups), even if they are renamed.

 

[Gardener1]

strongm

Your right if you look at the sid for the administrator account it end with -500 so I guess any hacker would just have to look for the sid that ends in -500 and he would know it's the admin's account.

Thanks,

 

[strongm]

Indeed - although it is easier than that, since the Domain Admin SID (and I'm not giving away anything here that is not alreasdy in the public domain) is actually

S-1-5-domainsid-500

So we don't even need to look for the admin SID, we can reconstruct it simply by looking up the domain sid and inserting it into the template.

 

[Gardener1]

strongm

what do you think if I copy the administrator user account to create a new administrator account, will that create a sid that will not be lock out the newly copied account?

The problem that I am having is that if I create a new user with all the group membership of the administrator account that user will be lock out after three fail logon attempts.