In practice it isn't so bad:
- Get Service Credentials Manager from http://www.cjwdev.co.uk/Software/ServiceCredMan/Info.html - very handy tools to trawl the network getting the details of all services and scheduled tasks along with their login account details
- Run the above - if your network is small the free version of the tool is sufficient. Larger networks would benefit from the ability to export the output to Excel, so the paid version is a better option. What comes out of this will help you plan the change - if nothing or little runs as the domain administrator then the process is generally quick and smooth.
- In Active Directory Users and Computers, right click on the administrator account and click on Rename - enter the new name. Log our and back in as this user, if you are logged in as it (though you should be using individual admin accounts that are separate from your day-to-day logins).
- Again in ADUC right click on the administrator account and select Reset Password. At this point the change is done.
- Wait for AD to propagate the change to other DCs (if you have any), or force it with 'repadmin /syncall <other DC name> /Adep'
- Now go to any system with services or scheduled tasks that run as the administrator account. Ideally, create new account for these (local ones if possible, or domain ones with no or restricted logon rights) and use one account per service 'group' (so one for the Veeam services, for example). Restart said services and make sure things all still work.
- Also look out for applications which cache credentials in their config. Backup Exec, for example, or Veeam ONE - again, these shouldn't be the domain administrator account, but if they are they will need updating (or ideally replacing with dedicated accounts).
net localgroup Administrators /add DOMAIN\USERNAME
Also a lot quicker than doing it via the GUI on the non-DC systems.
No comments:
Post a Comment