Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
nikolas.e

Senior Member
Registered:
Posts: 155
Reply with quote  #1 
Hi all hope you good.


We need to change our build in domain administrator password in our company. First thing i will have to verify is which services are using this account. But how can i be 100% that other services aren't using this account. How can i make my work more easy? 


Also as a precaution i am going to create a new user who will belong to the same groups the build in domain administrator account belongs to. This means the new user will have the full rights as the build in account right? Or do i need to check anything else?


Also when i change the password i will need to log off and log on immediately from the servers the build in domain administrator account is logged so all the services will run correct right?

Any thoughts would be appreciated.



__________________
Just call me the 1000Questionsguy
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 287
Reply with quote  #2 
Quote:
Originally Posted by nikolas.e

We need to change our build in domain administrator password in our company.

...and hopefully stop using it after that.

Quote:
Originally Posted by nikolas.e

First thing i will have to verify is which services are using this account. But how can i be 100% that other services aren't using this account. How can i make my work more easy? 


Code:

Get-ADComputer | foreach { 
    $sess = New-CimSession -ComputerName $_.Name
    Get-CIMInstance Win32_Service -Filter "StartName='DOMAIN\Administrator'" -CIMSession $sess
    Get-ScheduledTask -CIMSession $sess | where {$_.Principal.UserID -eq 'Administrator'}
    $sess | Remove-CIMSession
}

After you identified those services and tasks, go ahead and change the account from Administrator to a dedicated service account for each service or task.


Quote:
Originally Posted by nikolas.e

Also as a precaution i am going to create a new user who will belong to the same groups the build in domain administrator account belongs to. This means the new user will have the full rights as the build in account right?

Pretty much, but not quite.

Quote:
Originally Posted by nikolas.e

Also when i change the password i will need to log off and log on immediately from the servers the build in domain administrator account is logged so all the services will run correct right?

First, STOP USING THE BUILT-IN Administrator ACCOUNT.
Second, the services will continue running for as long as their respective logon token is valid. Default lifetime is 10 hours. That said, the interactive logon session has nothing to do with the respective service logons even if the same account is used for both.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
nikolas.e

Senior Member
Registered:
Posts: 155
Reply with quote  #3 
Cj thank you very much for your help and suggestions. I was able to  track down which services the default domain\administrator account is using by running this command : Get-WMIObject Win32_Service | Select Name, StartName | sort StartName

I tried to run your command but it was showing an error so maybe older version of powershell?  we got version 3 here on 2008 servers.  Now i know why this account should not be used not only for the problems it may cause when changing password but also for security reasons. Sorry for the late reply but i had to study a little about it and take some notes(I had help on that). Soon this services would be replaced by using other account and not domain\admin account. I have to verify first which type of accounts this services will need to run properly.

About :

Quote:
Originally Posted by nikolas.e

Also as a precaution i am going to create a new user who will belong to the same groups the build in domain administrator account belongs to. This means the new user will have the full rights as the build in account right?

Pretty much, but not quite.


If i right click and copy the Administrator account from active directory doesn't this means that the user i am creating will have full rights as the domain\administrator? 

I have noticed that the same groups the default \domain account belongs this new user also belong.  There is a difference?



Happy note : O wowww first time i run a powershell command. Yes never used it only see from here 😉 . Now to upgrade powershell version also.  😉

__________________
Just call me the 1000Questionsguy
0
anthony

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 56
Reply with quote  #4 
To add on to this. In some rare cases you will still find odd things that may or may not work after the change. Make sure you document each instance of oddness, and how you fixed it, and that way when it comes time to change it again you know exactly what to do without breaking anything.
__________________
If Chewbacca lives on Endor - You must acquit!
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 215
Reply with quote  #5 
Two things to add:

1. Don't forget the Scheduled Tasks (and maybe some other scripts with integrated credentials)

2. Look at Managed Service Accounts and Group Managed Service Accounts :

https://blogs.technet.microsoft.com/askds/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting/
https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/

__________________
Pieter Demeulemeester
0
nikolas.e

Senior Member
Registered:
Posts: 155
Reply with quote  #6 
Goodmorning.

Thank you Anthony and Pieter for your information. I will document and verify again on the weekend that i didn't miss anything. The job was planned to run this Thursday but we postponed it until Monday. Hopefully everything will go as planned.

__________________
Just call me the 1000Questionsguy
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.