Re: Changing the Administrative Password(s)

From: judojim (judojim@pacbell.net)
Date: 08/15/02 

From: "judojim" <judojim@pacbell.net>
Date: Wed, 14 Aug 2002 23:24:55 GMT

Thanks for the advice folks. Here is a recap of what we have so far:

To change the administraotor password while minimizing the impact upon
the system/network:

1. Copy the adminstrator account and name the copy "Admin2,"
"ITGuru2," or "Bob2" or some such user name. This will give me two
adminstrator accounts each with it own password.

Note, that since this is a copy of the original administrator account,
this new user account will be a member of all the same groups that the
original administrator is a member of, including Backup Operators,
Domain Admins, Enterprise Admins, Exchange Domain Servers, Exchange
Services, etc.

2. Rename the administrator password to something other than
"administrator," like "Admin," "ITGuru," or "Bob." The assumption is
that this would be for some sort of security considerations.

3. Take notes about what services are installed on the server(s) that
may be dependent upon the administrator account.
So far I've documented dozens of services that could be dependent upon
the administrator account/password. Such services include, several
ArcServe (the backup program) services, a SQLbase (a database engine)
service, a slew of MS Exchange services, a couple of Terminal Service
services, and God only knows what other services that may or may not be
dependent upon some sort of administrator password.

The question this step raises, is how do I determine which service(s)
rely upon some sort of administrator password? Is there some RESKit
tool that will help in determining what account relies upon a user
account and password? There doesn't seem to be any clues in the
Properties of the individual services. Otherwise, it looks like this
part of the process is guessing game.

4. Test the new account and the renamed adminstrator account during the
weekend or off hours to minimize impact and allow time for recovery
should something break.

Any other considerations out there about changing the administrator
password? Is it going to be this easy?

"karl [x y]" <jamescagney90210@excite.com> wrote in message
news:OjEyPa5PCHA.2520@tkmsftngp11...
> I agree... additionally, if you're using the Windows 2000 or newer
MMC, you
> can sort the services in your GUI by account used, so you don't miss
> anything.
>
> I second that a separate login ID should be used for services...
shared IDs
> have the disadvantage of losing accountability, e.g. you don't know
who did
> what with a certain account... also, since the administrator's actions
will
> be mixed in with multiple services' actions in the windows event
viewer, you
> wouldn't be able to audit what is normal behavior for a certain
service, and
> if a service is compromised, it would be tricky to determine what was
done
> or which service was compromised. I would also think it would be
easier to
> make all the services stop working if you ever attempted to make a
change to
> the account.
>
> "Dazza" <techspec@hotkey.net.au.nospam> wrote in message
> news:#af#R7zPCHA.2488@tkmsftngp10...
> > simply scroll thru services in computer management looking for
services
> that
> > require the admininstartor account to start the service
> > MS Exchange has several that require a 'service account' to start
them
> > document these services so changing the password become easier later
,
> also
> > for added security rename the administrator username to admin ,
itguru ,
> or
> > even bob
> >
> > Dazza
> >
> > "judojim" <judojim@hotmail.com> wrote in message
> > news:bVC49.2732$B24.78549350@newssvr21.news.prodigy.com...
> > > I need to change the admin password, but I have heard that strange
> things
> > > can happen whenever one simply changes this password without due
> > diligence.
> > >
> > > Since the admin account has been used for anything and everything
in
> this
> > > small office, including Exchange, Terminal Services, etc., I have
some
> > > reservations as to the ramifications of blindly rushing into this
task.
> > >
> > > Anyone have any strange stories to tell or caveats to share about
> changing
> > > the administrator password for a single Windows 2000 domain.
> > >
> > > Thanks for helping.
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Keep admins off of client machines
    ... the sharepoint admin is simple, just create a standard user account for them ... The 'Domain Administrator' account is ... Domain Administrator password. ... takes a thorough understanding of such priveleges to do so. ...
    (microsoft.public.windows.server.sbs)
  • Re: firewall on budget ?
    ... 1)Work in Admin mode, and through 'run as', browse ... If working in admin mode and doing runas to browse in a guest account. ... Installing a program, getting an error, then doing the run as, can be ... running as administrator all the time. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: XP (SP2) user passwords
    ... Safe Mode requires an administrator to log on the machine. ... I always suggest checking who has Admin accounts, ... administrator account, which normally does not appear, and in SP2, I don't ...
    (microsoft.public.windows.mediacenter)
  • Re: Could this be an XP problem?
    ... >> This means you have admin access under jlunis login. ... This is one way to get in as admin in XP home. ... >> tab) then type in administrator as username and blank password. ... administrator account. ...
    (microsoft.public.windowsxp.general)
  • Re: Keep admins off of client machines
    ... The 'Domain Administrator' account is ... > administration person from the domain admin account is complex and fraught ... > change the Domain Administrator password. ... > it takes a thorough understanding of such priveleges to do so. ...
    (microsoft.public.windows.server.sbs)