Almost every Active Directory Domain has some service accounts such us BackupSVC, MonitorSVC, etc that are used to run Windows Services throughout the network.
Changing a password for such an account can be a real pain. A responsible admin should scan all servers and see where the account is being used. Otherwise, services are bound to fail launching, backup jobs will stop running and the service account may lock out because the old password is still being used for authentication.
In small networks, with 20-30 servers or less, the job of changing the password and reconfiguring it in all proper places can be done in a few hours. However, in medium and large networks with dozens of servers, this task can take a while. In fact, some organizations I know rely so heavily upon unmanaged service accounts that their passwords are kept static (and known to way too many people) for long years.
In this article, I will demonstrate how to get this job done in no time and with zero expenses.
An administrative user account which is member of the local ‘Administrators’ group of each server (If you’re member of the ‘Domain Admins’ group, then you’re probably fine)
Download ControlUp HERE – It’s free
1. Start ControlUp on your workstation
2. Click the ‘Add Computers’ button on the left side of the tool bar
3. In the ‘Computer Selection’ screen, you should select all servers that might use the service account. If needed, you can add additional domains and use alternative credentials for it. After the selection is made, click the ‘Add’ button, and then ‘Next’
4. On the ‘Add Computers’ screen, you can see the status of each server. If any of the servers are missing .Net Framework, you can use the ‘Deploy .Net Framework’ to remotely install the feature (Works on 2008 server or above)
5. When done, click the ‘Finish button’.
In this step, we will see which services are using the service account, and manipulate the settings.
1. On the main screen, make sure that ‘Computers’ is selected on the upper bar, and then use CTRL + A to select all servers.
2. Right-Click on any of the selected servers and choose ‘Services Controller’
3. In the ‘Service Controller’ screen, you can see an aggregated list of all Windows Services exist on the computers you selected. Set the columns order so you can easily see the ‘Logon As’ column, and click on the column header one to sort by this column.
4. If you know the exact service that you’re looking for, simply click on its name from the ‘Services’ pane. Alternatively, you can browse through all the services using the ‘Down’ arrow key.
5. When you found a Windows Service that uses the service account you want to change, right click on the service’s name on the ‘Services’ pane and select ‘Edit Properties’
6. Select ‘Edit Properties’, Select ‘This Account’ and specify the credentials. Alternatively, you can use the ‘Local System’ account.
7. The next screen will show you the servers on which the update will take place. Click OK.
8. Review the results, and – That’s it! You successfully change the service account.
In order to make sure that the account is not used anymore, follow these steps:
1. Clear the security log on each Domain Controller
2. Wait for few days…
3. Search for Logon events of the service account and make sure there are no logon
events in the logs.
Sample logon event:
If the event doesn’t appear on any of the Domain Controllers after a while, it means that the account is not used anywhere, and you can go ahead and disable it.
If the event appears, it means that it is still being used on the specified server. Log on to the server and see where it is being used.