General discussion

Locked

Password Management for Administrators

By krudd ·
We have had two domain/enterprise level administrators leave the company in the last 6 months. This means that in addition to disabling theirr accounts, we have had to change a large number of passwords for service accounts, local admin accounts, infrastructure equipment, etc., basically whatever they may had had access to.

What tools, methods and policies are other administrators using to make this job less of a pain?

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Tools

by djameson In reply to Password Management for A ...

The best tool is a notebook to keep track of all the places that passwords that are used The hardest part is remembering everywhere that there are passwords. If you are running a windows domain, if you remove the user they lose access to everything that is authenticated against the domain, I have in the past used MS IAS for authentication against switches etc, but that really isn't the solution. If you are a small organization, the best way is to keep passwords common. Like router access and enable passwords and SNMP community strings are all the same throughout the organization. In terms of the local admin password, I use an MD5 flip bit hash that sets the local administrator passwords on machines, the hash includes a seed value that can be changed if need be. and an enterprise wide perl script that changes them periodically.

Collapse -

WSH Scripting Helps

by billbohlen@hallmarkchannl In reply to Tools

We've been in the same position. We've been able to use Windows Scripting Host and VBScript to create some reports that help.

1) Service accounts. As you know, the password for a service account is stored separately. We've been able to create a script that uses ADSI to connect to the domain and enumerate all computer objects with a server OS. Then for each computer, we use WMI calls to enumerate any services where StartName <> LocalSystem. This gives us a nice report of all services that start with a domain account.

2) Scheduled Tasks. We have a lot of scheduled tasks on servers that run under a variety of domain service accounts. Creating a script to enumerate these is tricky, and requires a little-known Resource Kit tool called JT.EXE. But the end result is that we get a report of all scheduled tasks on all servers...their status and their account credentials.

Actually CHANGING these stored passwords is still a laborious manual task, but at least we have a list to work from, so we don't miss anything.

Collapse -

SCRIPT

by alfivar In reply to WSH Scripting Helps

Do you have the scripts? Is it possible to download?

Back to IT Employment Forum
3 total posts (Page 1 of 1)  

General Discussion Forums