Password management policy when an admin left the company ?

Hello,

we have approx 10 administrators in our company.
We have several domains, several admin and services accounts stored in
a protected file.

Our problem is "What happens if one of the administrators left the
company ?"

As he had access to the protected file containing every passwords, he
could be able to use it after he left the company.

What is your password management policy in this kind of situation ?

Thank you

--
Eric

"Eric" <> wrote in message
news:. ..
> Hello,
>
> we have approx 10 administrators in our company.
> We have several domains, several admin and services accounts stored in a
> protected file.

What do you mean by "a protected file"? Is this a file on a server to which
all 10 admins have access?

> Our problem is "What happens if one of the administrators left the company
> ?"
>
> As he had access to the protected file containing every passwords, he
> could be able to use it after he left the company.
>
> What is your password management policy in this kind of situation ?

An interactive, personal admin account password should exist in only two
places - in the actual account itself, and in the memory of the admin
account user. Nobody else has a reason to know the password. The account
should be disabled and/or the password reset when the user leaves.

The only time anyone needs the password of a service account is when the
service is being configured. It needs to be

"Al Dunbar" <> wrote in message
news:#...
>
> "Eric" <> wrote in message
> news:. ..
>> Hello,
>>
>> we have approx 10 administrators in our company.
>> We have several domains, several admin and services accounts stored in a
>> protected file.
>
> What do you mean by "a protected file"? Is this a file on a server to
> which all 10 admins have access?
>
>> Our problem is "What happens if one of the administrators left the
>> company ?"
>>
>> As he had access to the protected file containing every passwords, he
>> could be able to use it after he left the company.
>>
>> What is your password management policy in this kind of situation ?
>
> An interactive, personal admin account password should exist in only two
> places - in the actual account itself, and in the memory of the admin
> account user. Nobody else has a reason to know the password. The account
> should be disabled and/or the password reset when the user leaves.
>
> The only time anyone needs the password of a service account is when the
> service is being configured. It needs to be

[continued...]

stored for future use in a way that discourages unauthorized use. One way is
in a sealed envelope in a vault under the control of someone other than the
admins.

Of course, you cannot make people actually forget passwords they have known,
so it might not be a bad idea to change all of the service account passwords
when an admin leaves. Of course, it is almost as likely for an admin who is
not leaving to go rogue on you, so this could be overkill.

/Al

Thank you for your answers.

So ok we agree that I need to change the password when one of them
admins left the company (as the file is protected in a network storage
location yes).

now my question is "How can I easily change every passwords documented
when one admin left ?"
There is a big turnover so an automatic process should be better.

I have heard about a solution from Cyber Ark but it's quite expensive.

Thanks for your help.

P.S: I precise I dont have 2008 R2 servers and the ability to modify
easily services password accounts.

> "Al Dunbar" <> wrote in message
> news:#...
>>
>> "Eric" <> wrote in message
>> news:. ..
>>> Hello,
>>>
>>> we have approx 10 administrators in our company.
>>> We have several domains, several admin and services accounts stored in a
>>> protected file.
>>
>> What do you mean by "a protected file"? Is this a file on a server to which
>> all 10 admins have access?
>>
>>> Our problem is "What happens if one of the administrators left the company
>>> ?"
>>>
>>> As he had access to the protected file containing every passwords, he
>>> could be able to use it after he left the company.
>>>
>>> What is your password management policy in this kind of situation ?
>>
>> An interactive, personal admin account password should exist in only two
>> places - in the actual account itself, and in the memory of the admin
>> account user. Nobody else has a reason to know the password. The account
>> should be disabled and/or the password reset when the user leaves.
>>
>> The only time anyone needs the password of a service account is when the
>> service is being configured. It needs to be
>
> [continued...]
>
> stored for future use in a way that discourages unauthorized use. One way is
> in a sealed envelope in a vault under the control of someone other than the
> admins.
>
> Of course, you cannot make people actually forget passwords they have known,
> so it might not be a bad idea to change all of the service account passwords
> when an admin leaves. Of course, it is almost as likely for an admin who is
> not leaving to go rogue on you, so this could be overkill.
>
> /Al

--
Eric

Hello Eric,

Without 2008 R2 in the future i don't know a tool. If you have them well
documented it wan't be a big problem, do it one by one after working hours.
If not i think you have to check any server which service account is used.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thank you for your answers.
>
> So ok we agree that I need to change the password when one of them
> admins left the company (as the file is protected in a network storage
> location yes).
>
> now my question is "How can I easily change every passwords documented
> when one admin left ?"
> There is a big turnover so an automatic process should be better.
> I have heard about a solution from Cyber Ark but it's quite expensive.
>
> Thanks for your help.
>
> P.S: I precise I dont have 2008 R2 servers and the ability to modify
> easily services password accounts.
>
>> "Al Dunbar" <> wrote in message
>> news:#...
>>
>>> "Eric" <> wrote in message
>>> news:. ..
>>>
>>>> Hello,
>>>>
>>>> we have approx 10 administrators in our company.
>>>> We have several domains, several admin and services accounts stored
>>>> in a
>>>> protected file.
>>> What do you mean by "a protected file"? Is this a file on a server
>>> to which all 10 admins have access?
>>>
>>>> Our problem is "What happens if one of the administrators left the
>>>> company ?"
>>>>
>>>> As he had access to the protected file containing every passwords,
>>>> he could be able to use it after he left the company.
>>>>
>>>> What is your password management policy in this kind of situation ?
>>>>
>>> An interactive, personal admin account password should exist in only
>>> two places - in the actual account itself, and in the memory of the
>>> admin account user. Nobody else has a reason to know the password.
>>> The account should be disabled and/or the password reset when the
>>> user leaves.
>>>
>>> The only time anyone needs the password of a service account is when
>>> the service is being configured. It needs to be
>>>
>> [continued...]
>>
>> stored for future use in a way that discourages unauthorized use. One
>> way is in a sealed envelope in a vault under the control of someone
>> other than the admins.
>>
>> Of course, you cannot make people actually forget passwords they have
>> known, so it might not be a bad idea to change all of the service
>> account passwords when an admin leaves. Of course, it is almost as
>> likely for an admin who is not leaving to go rogue on you, so this
>> could be overkill.
>>
>> /Al
>>