Changing an AD account password - what services will it break?

Question

we have a bunch of AD accounts that are used for various purposes (allows scanners to save a file on a network folder, or it runs a service or scheduled task). Is there a quick way of seeing where the account is being used (even just hostname/ IP address would be helpful to narrow down what machines we need to focus on). Just a 'this is what computer(s) or devices this account was accessed from in any given period). We are going to reset passwords on a lot of them and want to know in advance what damage it will cause. Thanks, John

Sidenode: Make sure you disable account locking after X failed attempts for the transition phase. Else you might have one (missed) device, or devices beeing offline for a long time that will keep locking your account with a wrong password. — dognose, May 12 '22 at 06:10

score 0 · Answer 1 · answered May 11 '22 at 10:26

For cases like this I can’t stress the importance of good documentation enough. But I guess this won’t help you.

With native MS tools I guess your best chance is to filter the Security Eventlog on your DCs for ID 4624. Depending on how big your domain is, there will be a lot and I can’t think of a way to filter for the username. What you can do however is to use Find… enter the Username u want to investigate and hit Find Next each time. This will show you logon events of this user one after the other.

PS: repeat on all DCs for complete results.

And while you're on it, you might want to check for scheduled tasks, ran by these users.

Thank you, Ill check that ID much appreciated – user2463687 May 12 '22 at 17:40 — user2463687, May 12 '22 at 17:40

score 0 · Answer 2 · answered May 11 '22 at 18:42

Depending on the size of your environment, this may not be task can be done by hand. You will need tools or script to comb thru events on all DCs.

First of all, beware that there is difference between "logon events" and "account logon events" (MS took very bad wording in this regard). Former is generated on local computer where logon happens, latter is generated on DCs where "authentication" happens.

Since you probably can't scan all servers for local logon events, the more realistic place to track domain account logon is on DCs. For that, you want to make sure you have account logon audit enabled on DCs. Then there are multiple event IDs to look for.

You can find more details from Randy's site. (and chapter 5 as well for completeness) https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter4

Excellent, thank you. So 'account logon' should record each time something like a scanner authenticates. Hope so! — user2463687, May 12 '22 at 17:39

Changing an AD account password - what services will it break?

2 Answers2