Re: passwords Service accounts and services



"Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
news:uvWwDaSwGHA.1808@xxxxxxxxxxxxxxxxxxxxxxx
Yes, it would be wise to restart the service once you change the password
on the service. You should be able to do this using

sc

command from command line... For more information check out

sc /?

options.

Note: I hope these service accounts do not have excessive permissions in
domain (e.g. domain administrator permissions). :-)

Yeah, working on that one too . . . the difficulty is that applying the
least privilege principle to service accounts adds a layer or two of
complexity to the entire system and may have unforseen consequences down the
line. Especially when something goes wrong. If you or anyone have a nifty
way (other than simple trial and error) to determine the least amount of
privileges a service needs to run under, I'd be really interested to know.

-P

--
Mike
Microsoft MVP - Windows Security

"TwistedPair" <twistedpair@xxxxxxxx> wrote in message
news:OWr2nwLwGHA.1512@xxxxxxxxxxxxxxxxxxxxxxx
Group,
I need to change a bunch 'o service accounts' passwords, then go to every
service that uses these accounts, and configure their passwords
appropriately. To do this I whipped up a little script that visits every
server in AD and checks the list of services on it. For each account
that I need to change I can tell the script to change that service's
password, however, here's my question . . . I will need to stop and start
that service at that point won't I? My feeling is that it will continue
to run under the old security context (old username and password) and
will eventually lock out the account that it relies upon. Hopefully I am
incorrect, or else, there is some nifty work-around. Any ideas?

Thanks!
Pair





.

Relevant Pages

  • RE: Using ADMT to migrate service accounts on workstations
    ... Oh, yes, I agree with you that the script would better in your scenario. ... >The problem is that service account migration wizard would need every ... >> The root reason ADMT must generate a complex password instead of copying ... >> passwords for service accounts is that ADMT needs to know what the ...
    (microsoft.public.windows.server.migration)
  • Re: password change
    ... >> Is there a way to script out the changing of passwords at the command line. ... > apt-get install expect ...
    (Debian-User)
  • Re: local admin pwd change needed
    ... It will work on any LOCAL machine account and I need to correct myself as the command ... >> machine policy and you can use different script per OU GPO. ... If you need to use different passwords for each ...
    (microsoft.public.win2000.group_policy)
  • Re: Cluster services with expiring passwords
    ... The corporate auditing requires that service accounts have their passwords ... I have a two-node SQL Server clustering and I'm looking for a way to ... check "Password never expire" on the account properties. ...
    (microsoft.public.windows.server.clustering)
  • Service accounts with password expiration
    ... If I modify passwords for clustering service accounts, ... keep running with no disruption? ...
    (microsoft.public.security)
Quantcast