none
How to change domain administrator password

    Question

  • We have a domain

    Domain Controller: Win 2008 r2 ent

    Additional DC: win 2003 r2 std

    exchnage server:win 2003 r2 Std

    Can you please give me the steps to chnage then domain administrator password?

    Is it make any impact on any other serverice like exchnage???

     

    Saturday, October 08, 2011 12:00 PM

Answers

  • In every domain there is a domain admin group which has got unrestricted privilege over domain, so it really depends how many domain admin membership account you have and which domain admin account password you want to change and how that domain admin is being used for other purpose like configuring the service account or any other.If you don't use domain admin account other than login, you can simply reset it from ADUC.

    To measure the impact, you need to verify where this domain admin account been used, is any service configured using this domain admin account. Below link might help you.

    Finding Services Using non-System Accounts With PowerShell

    http://theessentialexchange.com/blogs/michael/archive/2008/02/29/finding-services-using-non-system-accounts-with-powershell.aspx 

    http://blogs.technet.com/b/heyscriptingguy/archive/2011/04/07/the-2011-scripting-games-beginner-event-4-use-powershell-to-find-accounts-used-by-services.aspx

    Changing the domain admin password is simple, login with any other domain admin membership account, connect to ADUC, right click the domain admin user and select the password reset.

     

    Regards


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Saturday, October 08, 2011 2:54 PM
    Moderator
  • Changing the password is simple, just log on as the admin or using ADUC you can reset it.  The bigger issue is finding out the impact on your enterprise if you change it.  So if you have a script that uses the admin account and you reset the password you will break the script or if a service is using it it will quit working.  So diligence will be required from you before making this change to ensure that this account isn't currently in use. I believe there are scripts out there that will read through the domain looking for the admin account as well as you could read the event logs (Via EventCombMT.exe a freeware tool from Microsoft).
    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465

    Go slow and be thorough.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, October 10, 2011 12:20 PM
    Moderator
  • Hello,

    to change the domain admin password, use dsa.msc, right-click on the domain admin account and click on reset password.

    There is no impact on applications / services if none of them is using this account with the old password to run.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Saturday, October 08, 2011 12:06 PM
  • Hi,

    You should be a member of domain administrators or bultin admins group if you want to change the pwd.

    You can find a similiar discussion here.. http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/27b2aa85-5e64-44f1-a9f3-cfba4b394640/

    You need to check if any services are configured to run with domain administrator account,that may fail due to this pwd change,. 


    Regards, Mohan R Sr. Administrator - Server Support
    Saturday, October 08, 2011 12:06 PM
  • Hi,

    Domain administartor password change process is pretty straight forward, Open AD DS > Navigate to domain admin account > right click > reset password.

    First thing to do is determine what services are using the domain Administrator account, as these will need to be updated as well.

    The Domain controllers do not have local accounts, so when you change the admin password on the DC it will apply to all other DC.

    Once you are done with password change reboot the DC, then ADC's if any, then Member Servers.

    No impact on exchange server, Just go through the System Event Logs for each server checking for failed services.

    As you perform each step - DOCUMENT EVERYTHING. When you are done, you'll have all the info you'll need to write up an admin password change guide/checklist.

    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA 
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Saturday, October 08, 2011 3:06 PM
  • Hi,

     

    As others said, you need to detect all the services that are using this domain admin account first. For previous discussion, please refer to the following link:

     

    Domain Administrator Password Change Question

    http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/4574486e-114a-4e6e-8ee1-3471dfea6e5f

     

    Normally, a service's user account should not be a member of any administrators groups, that is local, domain, or enterprise. If your service needs local administrative privileges, run under the LocalSystem account. For more information, please check the following link:

     

    Guidelines for Selecting a Service Logon Account

    http://msdn.microsoft.com/en-us/library/ms676916(v=VS.85).aspx

     

    For Exchange specific issues, please submit a new thread via the following link:

     

    http://social.technet.microsoft.com/Forums/en-us/category/exchangeserver

     

    Best Regards,

     

    Nina

    Forum Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, October 10, 2011 9:11 AM
    Moderator

All replies

  • Hello,

    to change the domain admin password, use dsa.msc, right-click on the domain admin account and click on reset password.

    There is no impact on applications / services if none of them is using this account with the old password to run.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Saturday, October 08, 2011 12:06 PM
  • Hi,

    You should be a member of domain administrators or bultin admins group if you want to change the pwd.

    You can find a similiar discussion here.. http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/27b2aa85-5e64-44f1-a9f3-cfba4b394640/

    You need to check if any services are configured to run with domain administrator account,that may fail due to this pwd change,. 


    Regards, Mohan R Sr. Administrator - Server Support
    Saturday, October 08, 2011 12:06 PM
  • In every domain there is a domain admin group which has got unrestricted privilege over domain, so it really depends how many domain admin membership account you have and which domain admin account password you want to change and how that domain admin is being used for other purpose like configuring the service account or any other.If you don't use domain admin account other than login, you can simply reset it from ADUC.

    To measure the impact, you need to verify where this domain admin account been used, is any service configured using this domain admin account. Below link might help you.

    Finding Services Using non-System Accounts With PowerShell

    http://theessentialexchange.com/blogs/michael/archive/2008/02/29/finding-services-using-non-system-accounts-with-powershell.aspx 

    http://blogs.technet.com/b/heyscriptingguy/archive/2011/04/07/the-2011-scripting-games-beginner-event-4-use-powershell-to-find-accounts-used-by-services.aspx

    Changing the domain admin password is simple, login with any other domain admin membership account, connect to ADUC, right click the domain admin user and select the password reset.

     

    Regards


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Saturday, October 08, 2011 2:54 PM
    Moderator
  • Hi,

    Domain administartor password change process is pretty straight forward, Open AD DS > Navigate to domain admin account > right click > reset password.

    First thing to do is determine what services are using the domain Administrator account, as these will need to be updated as well.

    The Domain controllers do not have local accounts, so when you change the admin password on the DC it will apply to all other DC.

    Once you are done with password change reboot the DC, then ADC's if any, then Member Servers.

    No impact on exchange server, Just go through the System Event Logs for each server checking for failed services.

    As you perform each step - DOCUMENT EVERYTHING. When you are done, you'll have all the info you'll need to write up an admin password change guide/checklist.

    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA 
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Saturday, October 08, 2011 3:06 PM
  • Two ways to change Windows Server 2008 domain password will show you below

    http://www.lostwindowspassword.com/change-windows-2008-domain-password.html

    Sunday, October 09, 2011 6:20 AM
  • Hi,

     

    As others said, you need to detect all the services that are using this domain admin account first. For previous discussion, please refer to the following link:

     

    Domain Administrator Password Change Question

    http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/4574486e-114a-4e6e-8ee1-3471dfea6e5f

     

    Normally, a service's user account should not be a member of any administrators groups, that is local, domain, or enterprise. If your service needs local administrative privileges, run under the LocalSystem account. For more information, please check the following link:

     

    Guidelines for Selecting a Service Logon Account

    http://msdn.microsoft.com/en-us/library/ms676916(v=VS.85).aspx

     

    For Exchange specific issues, please submit a new thread via the following link:

     

    http://social.technet.microsoft.com/Forums/en-us/category/exchangeserver

     

    Best Regards,

     

    Nina

    Forum Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, October 10, 2011 9:11 AM
    Moderator
  • Changing the password is simple, just log on as the admin or using ADUC you can reset it.  The bigger issue is finding out the impact on your enterprise if you change it.  So if you have a script that uses the admin account and you reset the password you will break the script or if a service is using it it will quit working.  So diligence will be required from you before making this change to ensure that this account isn't currently in use. I believe there are scripts out there that will read through the domain looking for the admin account as well as you could read the event logs (Via EventCombMT.exe a freeware tool from Microsoft).
    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465

    Go slow and be thorough.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, October 10, 2011 12:20 PM
    Moderator
  • Hi,

     

    Any update on this issue? If there is anything that I can do for you, please feel free to let me know.

     

    Thanks.

    Nina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, October 13, 2011 9:41 AM
    Moderator

  • To Change domain administrator password you can login to DC open AD users and Computer.On domain name Right click--> find the administartion id and reset the password.

    You can also login to DC or domain member server/PC with administartion login press ctrl+Alt+Del.You can click on change password tab and change the password.

    If you want to change the password of DSRM mode administrator id refer belwo link for the same.
    http://support.microsoft.com/kb/322672 


    Is it make any impact on any other serverice like exchange???

    ANS.Changing the domain admin password will not impact exchange.It may impact application or other services where the password have been stored you need change the same if you change the admin password.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, February 10, 2012 6:20 AM