1

My organization's password policy requires that passworsds for two accounts in particular be updated/changed on a regular basis.

Is there a way to determine where a particular AD user account has been used? I am trying to determine what will break within active directory before changing the password to the account.

Chris S
  • 77,337
  • 11
  • 120
  • 212
Matt
  • 85
  • 2
  • 7
  • Perhaps I worded my question poorly; We need to change the password for the root domain account as well as another administrative account. We want to find if this same password has been applied anywhere else within active directory. – Matt Jan 21 '13 at 14:19
  • So you want to find if another account has that same password? Why?? – Chris S Jan 21 '13 at 14:28
  • Want to locate each OU or account where the old administrator's password has been applied within active directory. they need to be changed and there could be multiple locations this password is applied within AD. – Matt Jan 21 '13 at 14:50
  • That's definitely not how AD works. Maybe you mean to say that multiple user accounts have this password? Even if that's the case there could be multiple passwords for the multiple accounts. I'm getting the feeling you're in way over your head and should be calling a local consultant as soon as possible. – Chris S Jan 21 '13 at 14:53
  • Well the task handed to me was pretty vague. "How to find where admin passwords have been used"- is the task which was given to me. – Matt Jan 21 '13 at 14:56

3 Answers3

1

Scan the Security event log on every computer looking for a logon of that user account.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
1

Perhaps the easiest way is to enable successful login auditing on your domain controllers, then search through the logs for the user you're looking for.

Couple side notes:

  • Service accounts should have some sort of logical structure to their name. Microsoft recommends the format Vendor$Product$Server. So if you have Acme's FooBar running on Server01, then the service account name should be Acme$FooBar$Server01.
  • You should keep track of all your service accounts, and where they are used. This can easily be a simple spreadsheet (Google Docs, LibreOffice, whatever are all free). At a minimum it should keep track of the account names, intended use, last password change, and the servers/services that use them.
  • Passwords should be incredibly long an complex, I use a KeePass to generate 32 letter "goop". This way the password doesn't need to be changed as often. Changing passwords guards against a few things, none of which should readily apply to a service account with a good password.
  • You should review your business practices on a regular basis to ensure they aren't causing more trouble than they're worth. Practices should be justified, most of which are easy.

Terminology:

  • A "service account" is any user account, could be the "Administrator" account or any other, which is being used by an process that automatically logs in (most commonly services running on server, hence the name).
  • Active Directory is the system that keeps the user accounts, including passwords. It does not run as a user, the accounts are not used "within" it. The accounts are used by other programs.
  • Windows has no "root" account. There is a "Administrator" account that was setup when AD was first configured, but it's not special in the way that "root" is special on *nix environments. This "Administrator" account can be completely replaced with relative easy in Windows.
Chris S
  • 77,337
  • 11
  • 120
  • 212
0

You scan the logs for the user (as mentioned), or alternately, you just change the password, and see what breaks. It's easier/faster to look for audit failures and account lockouts than successful logins, and there are some MS tools you can use to trace account lockouts to boot.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208