Re: Changing password for Local Administrator account
- From: "MartinX" <a@xxx>
- Date: Fri, 16 Dec 2005 09:29:35 -0500
Hello:
1) On a DC, the local Administrator account is the Domain Administrator
account since all DCs share the same account database. So in essence, DCs do
not have a "local" Administer account. On member and standalone servers,
their local Administrator account is theirs only.
2) If you have services running under the DOMAIN Administrator account,
changing a local admin password on a MEMBER server should not affect the
service. But within the applications themselves you might need to update the
password, not just in the service start up settings. The System and Network
accounts are not something that you need to concern yourself with - the OS
maintains them and whatever services they run should keep on running fine
regardless if you change the local/domain admin password.
3) While you're at it, you might as well create new service accounts for the
applications that are currently using domain/local admin accounts. Basically
you create a regular domain user account, give it a complex password set to
not expire, and add it to the local administrators group of the member
server that is hosting the application. Then set the application's services
to use that account and give that account any other permissions necessary to
run the application. This is common practice. The use of the domain or local
Administrator account should be kept to an absolute minimum.
Regards,
Martin
MCSA: M
"YMan" <yyyy@xxxxxxxx> wrote in message
news:evyGmkfAGHA.2656@xxxxxxxxxxxxxxxxxxxxxxx
> Hi all,
>
> Sorry if this sounds to you a dummy question.
>
> For some reason we need to change the password of the local administrator
> account on our domain servers (DC, member server in our AD). Is there any
> potential risks in doing so? For example some of the servers are running
> apps like Exchange, SQL server etc. I saw in the services that most of the
> services are running either under SYstem account or Network services. For
> a few they are running using the domain's administrator account.
>
> Would changing the password of local administrator account affect these
> services?
>
> Thanks,
>
.
- References:
- Prev by Date: Re: Windows 2003 Licence, but no CD
- Next by Date: Re: Who's logged on
- Previous by thread: Changing password for Local Administrator account
- Next by thread: How to disable IIS error log...
- Index(es):
