Active Directory and change password for domain admin

[zillah]

I have got at home couple of computers.

For the testing purposes, can we change the password for the active directory (win2003) domain admin without affecting the whole configuration for the users and groups ?

How can we change that ?

Thanks

[jondercik]

Yes. But just so you dont lock yourself out have another backup admin account.

[zillah]

For the testing purposes, can we change the password for the active directory (win2003) domain admin without affecting the whole configuration for the users and groups ?

how can we change ?

[cluberti]

Use the "Active Directory Users and Computers" snapin on one of the DC machines (or the DC, if you have only one server). Change the password for the built-in "Administrator" account - but as has been previously stated, you should always have at least 2 admin accounts. Create another account with the same privilege level as the Administrator account if you have not done so already

[zillah]

Change the password for the built-in "Administrator" account - but as has been previously stated,

I tired that , but I could not get the option for resetting the password (like normal standalone PC),,,,see the link below please (may be I am doing something wrong)

http://img406.imageshack.us/img406/3367/us...rdchangede7.jpg

[cluberti]

You need to right-click on the Administrator account object itself to see the option. It's in the right-click menu itself - also note that if you are not logged on as the domain admin, or with domain admin privileges, you will not be able to reset the password for the domain Administrator account.

[zillah]

You need to right-click on the Administrator account object itself to see the option.

this is what I did ,,,,I hope I understood you correctly.

also note that if you are not logged on as the domain admin,

The screen that I posted for domain admin account logged in

BTW, I was logging to the domain controller PC remotely (Remote Desktop) not locally

Edited January 10, 2007 by zillah

[zillah]

You need to right-click on the Administrator account object itself to see the option.

Administrator user is under "Users" object, I was mistakenly opening the Administrators under "Builtin" object

Edited January 22, 2007 by zillah

[zillah]

Yes. But just so you dont lock yourself out have another backup admin account.

I have created a backup Administrator called (backupadmin), and i added him to the groups below:

1- Administrators

2- Domain Admins

3- Domain Users

Is this all what i have to do (only three groups) ?or I have to add more ?

Because all the groups that I have got for the username Administrator, is below

http://img257.imageshack.us/img257/6775/administratorsv7.jpg

Edited February 11, 2007 by zillah

[nmX.Memnoch]

You really don't need it in anything but the Administrators group for the backup account. The account would be used strictly for unlocking the main admin account.

[zillah]

You really don't need it in anything but the Administrators group for the backup account.

What worried me , I can see the username : " administrator ", has been added to many gruops, not only group administrators,,,,if a username which is added to group administrators has got full previlige, why do I need to add it to other gropus as well ?

Regards

[cluberti]

The only reason I can see adding an Administrative-level account to other groups would be if it was used as a service account (which shouldn't be done, btw), or if the administrators group was not given permissions to files or folders that some of these groups do have, but you still wanted the Administrator account to have access (that is also bad practice). Your assertion is correct, it technically should only need to be in the Domain or Enterprise Administrators group.