locked
Reset Domain Administrator password for Windows Server 2003

    Question

  • Hello

    i have a windows server 2003 DC1, DC2, and EX1. i need to change the Domain Administrator password, but when i do it through Active directory it didn't change it on the services and programs that use that account to run. now the account is always locking itself out. how do i change this password without having to go through all the services and programs and manually change them?

     

    Saturday, May 29, 2010 5:49 AM

Answers

  • Hello,

    what you see is normal, just changing the administrator password will NOT change it on the services/applications etc. where the account/password is set. This has to be done manual.

    With the new Windows server 2008 R2 you have the ability to use the "managed service accounts" to avoid this:

    http://technet.microsoft.com/en-us/library/dd367859(WS.10).aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Sunday, May 30, 2010 11:28 AM

All replies

  • Do you mean to say when ever you are changing the administrators passwords its not reflecting in the services which are using administrative password for service logons ? and also the account locks itself ?

    This is a clear indication for a Virus activity called Conficker I have seen a customer of mine having a same problem on a cluster server where the services used to stop by itseld and upon restarting the services the services were not authentiacting against the administrators account and after checking the server I found there was a conficker virus.

     

     


    http://www.virmansec.com/blogs/skhairuddin
    Saturday, May 29, 2010 6:36 AM
  • If you running services under Domain admins, you need to go the properties of the service and from the LogOn tab, renter the new password.

    Btw, it is not a good practice to run services under domain admin account. 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.
    Saturday, May 29, 2010 3:27 PM
  • Hello Duckster,

    The real issue that is at hand is that you are running services using the domain admin account.  The best approach is to create one or more dedicated accounts for these services.  The reason is that even if you change the password for the domain admin and go through all of your services and update the password, what is the plan for the next time you have to do it again?

    Clearly this is very costly in terms of managment of this account.  I would recommend that you have a dedicated service account for each service.  This way one account locking out will not affect more than one service. 

    If those service accounts do not regularly change their passwords, which most people do not do, my recommendation is to use a very long and complex password to ensure that comprimising the service account is unlikely due to a weak password.


    Visit: anITKB.com, an IT Knowledge Base.
    Sunday, May 30, 2010 2:57 AM
  • Hello,

    what you see is normal, just changing the administrator password will NOT change it on the services/applications etc. where the account/password is set. This has to be done manual.

    With the new Windows server 2008 R2 you have the ability to use the "managed service accounts" to avoid this:

    http://technet.microsoft.com/en-us/library/dd367859(WS.10).aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Sunday, May 30, 2010 11:28 AM
  • Its a domain administrator account but its the one we use for the servers only and for adding new workstations to the lan. Its not really THE domain admin account. i just wasn't sure if there was a way to get around having to go through all the services and programs and change them manually. But thanks to everyone that replied i appreciate that assistance

    Tuesday, June 08, 2010 2:01 AM