| Author |
Message |
Chris Hagon
Guest
|
 Posted:
Thu Feb 03, 2005 5:43 pm Post subject:
Admin password change |
|
|
Hi guys
We have 3x servs in our company. 1x memb server (Exchange2003, Win2003), 2x
DCs, (1x Win2k, 1x Win2003).
Exchange, Veritas use service accounts for their business. I want to change
our Administrator acc password.
What are the ramifications and if worst came to the worst can I change it
back again? Will any services using this acc dynamically pick up on this
change and will I need to do a reboot on the servers?
Your help as always is much appreciated!
-------
Tech Admin
West Midlands, England
Stressed and Tired!
-------- |
|
| Back to top |
|
 |
Miha Pihler [MVP]
Guest
|
| Posted:
Thu Feb 03, 2005 6:40 pm Post subject:
Re: Admin password change |
|
|
Hi Chris,
You will have to manually update the password for the services that run
under administrator account (account that you will change the password for).
It will not automatically pick up the password, but there should not be any
need for reboot of the server. If you miss a service and don't change the
password on it, service will fail to start.
Note: it is not considered best practice to use domain administrator
account. I am pretty sure that backup could run with less privileged
account -- but it might take some work for granting new account all
necessary privileges.
The problem with using domain accounts (specially domain administrator
account) for running services is storage of the password -- it is stored as
clear text in registry on the remote server (it is not stored in clear text
in active directory).
--
Mike
Microsoft MVP - Windows Security
"Chris Hagon" <ChrisHagon@discussions.microsoft.com> wrote in message
news:E3138E1A-295D-4C8A-880F-DDDEEFAA264B@microsoft.com...
| Quote: | Hi guys
We have 3x servs in our company. 1x memb server (Exchange2003, Win2003),
2x
DCs, (1x Win2k, 1x Win2003).
Exchange, Veritas use service accounts for their business. I want to
change
our Administrator acc password.
What are the ramifications and if worst came to the worst can I change it
back again? Will any services using this acc dynamically pick up on this
change and will I need to do a reboot on the servers?
Your help as always is much appreciated!
-------
Tech Admin
West Midlands, England
Stressed and Tired!
-------- |
|
|
| Back to top |
|
|
Chris Hagon
Guest
|
| Posted:
Thu Feb 03, 2005 6:49 pm Post subject:
Re: Admin password change |
|
|
Hi Mike
thanks for the info. Our Domain Admin acc is only used by myself when I
require the elevated privileges that it gives. Our applications (exchange,
backup) use specific service accounts. I guess it is just a case of being
thorough and checking all other services.
Thanks for your help
"Miha Pihler [MVP]" wrote:
| Quote: | Hi Chris,
You will have to manually update the password for the services that run
under administrator account (account that you will change the password for).
It will not automatically pick up the password, but there should not be any
need for reboot of the server. If you miss a service and don't change the
password on it, service will fail to start.
Note: it is not considered best practice to use domain administrator
account. I am pretty sure that backup could run with less privileged
account -- but it might take some work for granting new account all
necessary privileges.
The problem with using domain accounts (specially domain administrator
account) for running services is storage of the password -- it is stored as
clear text in registry on the remote server (it is not stored in clear text
in active directory).
--
Mike
Microsoft MVP - Windows Security
"Chris Hagon" <ChrisHagon@discussions.microsoft.com> wrote in message
news:E3138E1A-295D-4C8A-880F-DDDEEFAA264B@microsoft.com...
Hi guys
We have 3x servs in our company. 1x memb server (Exchange2003, Win2003),
2x
DCs, (1x Win2k, 1x Win2003).
Exchange, Veritas use service accounts for their business. I want to
change
our Administrator acc password.
What are the ramifications and if worst came to the worst can I change it
back again? Will any services using this acc dynamically pick up on this
change and will I need to do a reboot on the servers?
Your help as always is much appreciated!
-------
Tech Admin
West Midlands, England
Stressed and Tired!
--------
|
|
|
| Back to top |
|
|
Paul Adare
Guest
|
| Posted:
Thu Feb 03, 2005 6:58 pm Post subject:
Re: Admin password change |
|
|
In article <E3138E1A-295D-4C8A-880F-DDDEEFAA264B@microsoft.com>, in the
microsoft.public.windows.server.security news group, =?Utf-8?B?
Q2hyaXMgSGFnb24=?= <ChrisHagon@discussions.microsoft.com> says...
| Quote: | We have 3x servs in our company. 1x memb server (Exchange2003, Win2003), 2x
DCs, (1x Win2k, 1x Win2003).
Exchange, Veritas use service accounts for their business. I want to change
our Administrator acc password.
What are the ramifications and if worst came to the worst can I change it
back again? Will any services using this acc dynamically pick up on this
change
|
No, they won't, and you should never, ever be using the local
administrator account as a service account. That opens a huge security
hole. Any time you change a service account password, you'll need to
change the password on the Logon As tab of the service.
| Quote: | and will I need to do a reboot on the servers?
|
Shouldn't need to, though depending on the service, a service restart
may be required.
--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871) |
|
| Back to top |
|
|
Chris Hagon
Guest
|
| Posted:
Thu Feb 03, 2005 7:15 pm Post subject:
Re: Admin password change |
|
|
Thanks Paul. I would point out that I have inherited this network as of two
months ago and so it is not configured the way I would usualy, ie following
MS best practises etc.
"Paul Adare" wrote:
| Quote: | In article <E3138E1A-295D-4C8A-880F-DDDEEFAA264B@microsoft.com>, in the
microsoft.public.windows.server.security news group, =?Utf-8?B?
Q2hyaXMgSGFnb24=?= <ChrisHagon@discussions.microsoft.com> says...
We have 3x servs in our company. 1x memb server (Exchange2003, Win2003), 2x
DCs, (1x Win2k, 1x Win2003).
Exchange, Veritas use service accounts for their business. I want to change
our Administrator acc password.
What are the ramifications and if worst came to the worst can I change it
back again? Will any services using this acc dynamically pick up on this
change
No, they won't, and you should never, ever be using the local
administrator account as a service account. That opens a huge security
hole. Any time you change a service account password, you'll need to
change the password on the Logon As tab of the service.
and will I need to do a reboot on the servers?
Shouldn't need to, though depending on the service, a service restart
may be required.
--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in