Changing Admin Password
I am looking at changing the administrators password on a 2008 R2 DC, we have had some unusual things happening lately on the server i.e the backup being paused for a week (this was my assistants job to check not mine by the way), home directories being re-named and user accounts changing ???
I have had a look on the server and there is no sign of any remote software installed but think the previous administrator may still have a VPN on his laptop and still be able to dial in.
Before I change the administrators password how can I check what services might be dependant on the account as they will also be affected as well.
Look out for logmein on the server too... Or on an another server that connects to it
It did used to have logmein installed but I revoked access when I started.
I would also check for all accounts in the various administrator groups. In past experience you will be far more likely to find an account with admin privileges than having the main admin account compromised, which, TBH, you shouldn't be using anyway.
Just checked the services and it looks like the only ones affected will be the web filtering and backup exec, both of these are using the domain administrator account.
I'd be looking at finding out who was doing these changes and how. Takes ages but you could scour the logs on the DC. Filter by specific events would help.
If it is a previous admin he certainly needs to be brought to justice. Not at all funny.
Might be worth having a password reset procedure documented IE which passwords are used where. Substitute numbers for passwords if you can't bear to write them down