Join Log in
Score:0
avatar Server

Changing an AD account password - what services will it break?

jp flag
user2463687

we have a bunch of AD accounts that are used for various purposes (allows scanners to save a file on a network folder, or it runs a service or scheduled task). Is there a quick way of seeing where the account is being used (even just hostname/ IP address would be helpful to narrow down what machines we need to focus on). Just a 'this is what computer(s) or devices this account was accessed from in any given period). We are going to reset passwords on a lot of them and want to know in advance what damage it will cause. Thanks, John

33
0 + 0
dognose avatar
ar flag
dognose
Sidenode: Make sure you disable account locking after X failed attempts for the transition phase. Else you might have one (missed) device, or devices beeing offline for a long time that will keep locking your account with a wrong password.
0
Reply
jp flag
user2463687
Great point thanks!
0
Reply
Score:0
Manu avatar Server
us flag
Manu

For cases like this I can’t stress the importance of good documentation enough. But I guess this won’t help you.

With native MS tools I guess your best chance is to filter the Security Eventlog on your DCs for ID 4624. Depending on how big your domain is, there will be a lot and I can’t think of a way to filter for the username. What you can do however is to use Find… enter the Username u want to investigate and hit Find Next each time. This will show you logon events of this user one after the other.

PS: repeat on all DCs for complete results.

And while you're on it, you might want to check for scheduled tasks, ran by these users.

0 + 0
jp flag
user2463687
Thank you, Ill check that ID much appreciated
0
Reply
Score:0
avatar Server
mx flag
strongline

Depending on the size of your environment, this may not be task can be done by hand. You will need tools or script to comb thru events on all DCs.

First of all, beware that there is difference between "logon events" and "account logon events" (MS took very bad wording in this regard). Former is generated on local computer where logon happens, latter is generated on DCs where "authentication" happens.

Since you probably can't scan all servers for local logon events, the more realistic place to track domain account logon is on DCs. For that, you want to make sure you have account logon audit enabled on DCs. Then there are multiple event IDs to look for.

You can find more details from Randy's site. (and chapter 5 as well for completeness) https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter4

0 + 0
jp flag
user2463687
Excellent, thank you. So 'account logon' should record each time something like a scanner authenticates. Hope so!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.