what to do after reset domain administrator's password?

We recently reset the domain administrator's password. After that I went
through all servers and re-enter the new password for services that run on
domain administrator's credential, and all scheduled tasks that run under
domain administrator's password.
What else I need to do? Anything is missing?
thanks!

Assuming that this is security driven initiative, you migth want to also
reset the DSRM password (http://support.microsoft.com/kb/322672).
Btw. using the Domain Admin credentials to provide security context for
services introduces considerable security risk - so you might want to
consider changing this to a less-privileged account...

hth
Marcin

"tree leafs" <treeleafs@hotmail.com> wrote in message
news:eJxycdtlJHA.4912@TK2MSFTNGP04.phx.gbl...
> We recently reset the domain administrator's password. After that I went
> through all servers and re-enter the new password for services that run on
> domain administrator's credential, and all scheduled tasks that run under
> domain administrator's password.
> What else I need to do? Anything is missing?
> thanks!
>

In news:eJxycdtlJHA.4912@TK2MSFTNGP04.phx.gbl,
tree leafs <treeleafs@hotmail.com>, posted the following:
> We recently reset the domain administrator's password. After that I
> went through all servers and re-enter the new password for services
> that run on domain administrator's credential, and all scheduled
> tasks that run under domain administrator's password.
> What else I need to do? Anything is missing?
> thanks!

You may also want to check any applications running under the admin account
(that may not be set as a service), such as antivirus, 3rd party backup
utility, or anything else that may be installed on the box. One way is to
look at your Start/Programs list, as well as Add/Remove list of installed
apps, to get an inventory and how they were originally setup, that is if
they required credentials to run.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Hi
That will depend of the requirements of the apps that you're running in your
DCs.
Avoid using administrator accounts to run services, if possible, do not use
the Domain Administrator account or any other accounts with Domain/Forest
Admin privilege instead use dedicated accounts for those services with the
minimum permissions required to perform the required job. At last avoid
using the DC with additional roles that may expose the DC to security
threats.


--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

"tree leafs" <treeleafs@hotmail.com> wrote in message
news:eJxycdtlJHA.4912@TK2MSFTNGP04.phx.gbl...
> We recently reset the domain administrator's password. After that I went
> through all servers and re-enter the new password for services that run on
> domain administrator's credential, and all scheduled tasks that run under
> domain administrator's password.
> What else I need to do? Anything is missing?
> thanks!
>

Hello tree,

If you found all places where the account was used, it should be fine. Check
all event viewers for new errors and warnings. And rethink your using of
service accounts. You should change them to normal domain user accounts with
some elevated rights to fullfill only the needed task.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We recently reset the domain administrator's password. After that I
> went
> through all servers and re-enter the new password for services that
> run on
> domain administrator's credential, and all scheduled tasks that run
> under
> domain administrator's password.
> What else I need to do? Anything is missing?
> thanks!

Thanks for all the responses and advices.
For historical reason, some services running on some servers are using
domain administrator's credential. I guess that is due to the application
software was installed when logged on as domain administrator. This shall be
changed in the future as all advised.

What I found one more thing to do is checking console logon. If there is any
console logon to the server using domain administrator's credential, I have
to log it off after the password being changed. Otherwise, I got error1006
and 1030. This confused me for two days.
Cheers,
"tree leafs" <treeleafs@hotmail.com> wrote in message
news:eJxycdtlJHA.4912@TK2MSFTNGP04.phx.gbl...
> We recently reset the domain administrator's password. After that I went
> through all servers and re-enter the new password for services that run on
> domain administrator's credential, and all scheduled tasks that run under
> domain administrator's password.
> What else I need to do? Anything is missing?
> thanks!
>

-Glad to know that you're in the right track :)
-Before start changing the service accounts, make sure that you understand
exactly how the app works, call your app support team and let them know
about your modifications.
-You talk about errors after changing the service account. Well, that may be
related with additional functions (other than the service itself) that use
the current session to perform additional "work". I know that generally the
apps that are installed on the servers should not need any session to work
properly, that's one of the advantages of running apps on servers instead of
workstations, but unfortunately that doesn't happen in all apps. One more
reason to call the support team to understand the correct functionalities of
your app. Additionally you could use "filemon" and "regmon" from MS
Sysinternals to monitor the errors "Generally access denied errors" after
password change.

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

"tree leafs" <treeleafs@hotmail.com> wrote in message
news:OjlGgV6lJHA.1172@TK2MSFTNGP04.phx.gbl...
> Thanks for all the responses and advices.
> For historical reason, some services running on some servers are using
> domain administrator's credential. I guess that is due to the application
> software was installed when logged on as domain administrator. This shall
> be changed in the future as all advised.
>
> What I found one more thing to do is checking console logon. If there is
> any console logon to the server using domain administrator's credential, I
> have to log it off after the password being changed. Otherwise, I got
> error1006 and 1030. This confused me for two days.
> Cheers,
> "tree leafs" <treeleafs@hotmail.com> wrote in message
> news:eJxycdtlJHA.4912@TK2MSFTNGP04.phx.gbl...
>> We recently reset the domain administrator's password. After that I went
>> through all servers and re-enter the new password for services that run
>> on domain administrator's credential, and all scheduled tasks that run
>> under domain administrator's password.
>> What else I need to do? Anything is missing?
>> thanks!
>>
>
>

-Glad to know that you're in the right track :)
-Before start changing the service accounts, make sure that you understand
exactly how the app works, call your app support team and let them know
about your modifications.
-You talk about errors after changing the service account. Well, that may be
related with additional functions (other than the service itself) that use
the current session to perform additional "work". I know that generally the
apps that are installed on the servers should not need any session to work
properly, that's one of the advantages of running apps on servers instead of
workstations, but unfortunately that doesn't happen in all apps. One more
reason to call the support team to understand the correct functionalities of
your app. Additionally you could use "filemon" and "regmon" from MS
Sysinternals to monitor the errors "Generally access denied errors" after
password change.

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

"tree leafs" <treeleafs@hotmail.com> wrote in message
news:OjlGgV6lJHA.1172@TK2MSFTNGP04.phx.gbl...
> Thanks for all the responses and advices.
> For historical reason, some services running on some servers are using
> domain administrator's credential. I guess that is due to the application
> software was installed when logged on as domain administrator. This shall
> be changed in the future as all advised.
>
> What I found one more thing to do is checking console logon. If there is
> any console logon to the server using domain administrator's credential, I
> have to log it off after the password being changed. Otherwise, I got
> error1006 and 1030. This confused me for two days.
> Cheers,
> "tree leafs" <treeleafs@hotmail.com> wrote in message
> news:eJxycdtlJHA.4912@TK2MSFTNGP04.phx.gbl...
>> We recently reset the domain administrator's password. After that I went
>> through all servers and re-enter the new password for services that run
>> on domain administrator's credential, and all scheduled tasks that run
>> under domain administrator's password.
>> What else I need to do? Anything is missing?
>> thanks!
>>
>
>

yes... not using the default domain administrator account, because that's
probably too much for certain services

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"tree leafs" <treeleafs@hotmail.com> wrote in message
news:eJxycdtlJHA.4912@TK2MSFTNGP04.phx.gbl...
> We recently reset the domain administrator's password. After that I went
> through all servers and re-enter the new password for services that run on
> domain administrator's credential, and all scheduled tasks that run under
> domain administrator's password.
> What else I need to do? Anything is missing?
> thanks!
>