For the last week or so I’ve been working on a new application that will let you easily find services and scheduled tasks running on servers in your domain that are using a specific user account, then you can have the application change those credentials to use an updated password or a completely different account. More info and screenshots below…
As IT system admins we all know what it’s like once you’ve got quite a few servers in your domain that are running various services and tasks – either they’ve been setup to just use the built in domain admin account (tut tut ) or a specific service account was setup but its been running with the same password for years. In both situations people are often afraid of changing the password on the user account in case there is some service or scheduled task running that they didn’t know about which will then stop working once the password has been changed. Also, if you have a large number of servers there could be quite a delay between you changing the password in AD and actually logging on to each server to update the credentials stored with the task/service, so there’s the potential for something to try running and fail in the mean time.
EDIT 25/06/2012: Version 1.0 of this tool has now been released. You can find more info and a download link on my website here: Service Credentials Manager
Of course there are tools out there already that will assist with this situation, but all the ones I’ve seen either don’t work with the new task scheduler system introduced from Vista/Server 2008 onwards, aren’t very intuitive or intelligent, or they are stupidly expensive for what they do. So I decided as it would be a relatively quick project I would make something to do the job. As usual it turned out to be more work than I first anticipated but it is not far from completion now so I thought I’d post some details and screenshots for anyone interested.
First of all here’s some features and comments:
- Works with XP/Server 2003 format scheduled tasks as well as Vista/Server 2008/Windows 7/Server 2008 R2.
- Can import a list of target computers to audit services/tasks on from any AD container (optionally ignoring any disabled computer accounts), CSV file, or they can be entered manually.
- Export audit results to file to review which services on which computers need to be changed before actually making any modifications.
- Option to restart any running services after the credential change, and this correctly handles any dependent services by stopping them first and then starting them again after the credential change on the service they depended on (only if they were running before the change).
- Multi-threading means you can audit multiple computers at once to save time waiting for timeouts and failures on computers that can’t be contacted (default limit of 10 threads running at once but you can increase this).
- When searching for services/tasks running as a specified username, the application will automatically lookup the alternate format of the username and check for services using this version of the username too (e.g if you enter DOMAIN\JohnSmith it will also find services where the account has been entered as JohnSmith@domain.local and vice versa). Note that this isn’t simply switching around the domain and username, it actually queries the domain to get the correct alternate version of the username for the user account you specified.
- If you choose to change the credentials to a new user account for all selected services and the new user account does not have the Log On As A Service right on the target computer then the application will automatically attempt to grant the user that permission first.
Here’s some screenshots (may change slightly before release) :
click to enlarge
Hopefully I will have it released very soon, as there isn’t too much work left to do on it. Just need to get the credential change on XP/2003 format scheduled tasks working and then finish off some of the general GUI code, then it’s just a matter of testing it on a variety of different test networks and computers.
As with all of my apps, I will be releasing a completely free edition and a standard edition which will be paid for. I’m planning to make the free edition just be able to audit and export results but not actually be able to change the credentials, as I think this will still be useful to a lot of people as just discovering the services/tasks that depend on a specific account is half the battle. The standard edition will cost $59 USD for a single license and $150 for an unlimited/enterprise license. NOTE: I should clarify that a single license does not mean a single remote server that you want to query/update, the licenses are purely based on how many computers you are going to install the application on. So you could just buy one single license and use that installation on one PC to change the passwords on several thousand remote services and scheduled tasks.
EDIT 25/06/2012: Version 1.0 of this tool has now been released. You can find more info and a download link on my website here: Service Credentials Manager
Of course if you have any questions or suggestions, I’d love to hear from you so please feel free to send me an email (email address is on my website here) or leave a comment below. I’ve already had quite a few people interested in this so hopefully it will be useful to a lot of you.
Thanks
Chris
Thanks Chris, another really useful tool – especially for admins that have just joined a company and have yet to root out all the deep dark secrets….
In my current post I joined to find all the help desk staff knowing the domain admin password…you can imagine my immediate response! I of course changed it – which made matters worse as lots of services ground to a halt!
Thanks again!
David,
haha I bet you were popular then 😛 but yeah I know exactly what you mean, while I was testing this tool out on our network I found several services that I wasn’t aware of that were still running as the domain admin account so it seems even after being here for 2 years I still haven’t found all of the dark secrets either!
I’m looking forward to trying out this app, but I will say that your price points are quite high for the standard version. I understand the time you’ve invested is worth the money; however, from an economics standpoint you might want to consider the concept of 1,000 purchases at $10 is much better then 10 purchases at $100. For what would essentially be a rarely used application the price is pretty steep especially at this time when spending is cutting back more and more because of the economy. Just something to consider.
I appreciate that, but similar apps from other vendors are A LOT more expensive so I thought the price was quite good really. I mean $59 is pretty much nothing for most businesses that would need an app like this.
As a quick example, the first one I found from a google search just now costs over $2000 for 100 target server licenses and that’s before you even start looking at maintenance and support. Whilst it did have a few extra features like being able to create and delete services remotely (which I can’t see many people wanting to do to be honest) those additional features certainly didn’t make it worth that much extra if you ask me. So I thought $59 for an unlimited number of target servers was very reasonable to be honest (my licenses are just based on how many computers you’re actually going to install the app on, not how many you will be querying or updating).
Also I’m providing a completely free edition, which I really don’t have to do… its quite likely that a lot of people will just use the free edition to identify the services that are running as a specified account and will then change the passwords themselves manually so won’t ever buy the standard edition. Then for those that have way too many servers to be doing that, I’d say they are big enough to not think $59 is a lot of money. Sorry to go on, but it does annoy me a bit when someone complains about my prices because if I’m honest I know I could charge a lot more for most of my apps and make more money – I have plenty of huge companies buying my products that wouldn’t think twice if I stuck another $100 on my prices but I try to make them as cheap as I can so that I’m not ripping people off and so that they are good value for money. I always check out how much similar apps are priced and make mine a lot cheaper, and like I said I don’t have to provide a free edition at all but I do that just to help people out. Sure other businesses have free editions of their apps too but they are almost always crippled to the point of being useless, where as mine are not – I always make sure the free editions are still useful but obviously there needs to be some features that are only in the standard edition otherwise no one would ever buy it. Oh and since posting this blog post a couple of days ago I’ve already had a few people email me saying they will definitely be buying the enterprise license of it, so I’d say it can’t be that steep of a price.
This tool will be a great addition to my toolbox and will be worth every penny. I’ve been dreaming of something like this for a while but don’t have the programming skills, time, and creativity to develop a tool such as this.
In addition to the conversation about pricing, consider the following. You have 100 Windows VMs, 4 locations, and know for a fact that most of your services are running with the built in domain admin account. Everyone in the IT Department is aware of this account and password and the CIO wants a stop to this now! It will take 40 hours for your net/sys admin ($30/hour) to manually complete said task. At the end of the day, it will cost the company nearly $1200. Another option is to pay $150 for this tool and have an ROI immediately.
Thanks Chris!
Thanks a lot Cesar, I’m glad to hear that 😀 and you make a very good point about the ROI, and it could actually be even more as you could just buy a single license for $59 and still query/update all of those 100 VMs (the license is purely based on how many computers you are going to install the application on, not how many computers you want to query or update from it).
Thanks again
Chris
I am SERIOUSLY waiting with bated breath! This tool is worth it’s weight in GOLD. Every time we have an admin leave, we are REQUIRED to change every freaking service account password and shared password.
It sucks.
A Lot.
I know you just posted this 13 days ago…
But is it ready yet???
What is “very soon?”
Thanks I’m glad you are looking forward to it 😀 it is very nearly finished now, I’m hoping to get it finished this weekend and should be released some time next week.
Seriously… $59? CHEAP!
I’ll be watching next week! 😉
I’m not 100% sure whether or not you were being sarcastic about the price being cheap after the comments earlier about it being a bit steep, but I hope not 🙂 Quick update as well – the app is completely finished now, just need to do some more testing to make sure everything works as it should before I release it.
No joke! I inherited an IS management position where they had NO previous controls. I also have two underperformers I need to let go. But where they’ve buried either their own, or the admin, credentials is keeping me up at night. They have VPN access as well, so changing all those passwords will be critical. $59 is WELL worth it.
Just finished doing all of the testing that I wanted to get done on the standard edition so for everyone that is keen to try it out I’ve updated this blog post to include links to the finished versions of the free edition and the standard edition 🙂 I’ll be updating my website tomorrow night to give it its own proper page with screenshots and info etc but at least you can get using it before then 😀
Purchased and installed the single license version. We are running a mixed domain with Server 2003, Server 2008 and Server 2008 R2 without Hyper-V. Funcitionality of Server 2003. Testing the app, I see that it doesnt detect a particular svc account running on a known server where it resides inside an application. Doesnt run as a scheduled task. Any reason it couldnt find the svc account?
Hi William,
Yes the program will not find credentials that have been entered into third party applications (and no program like this ever could, because its impossible to predict where/how third party apps will stored those details). It will only find scheduled tasks and windows services.
Thanks
Chris
Nice tool.
I really need it for now.
Unfortunately this is not opensource as I am in need to have this kind of tool to be personalized for my needs.
Thanks for the share.
What exactly do you need changing to personalise it for your needs? If its something simple I could make you a bespoke version of it
Will this tool also find an change passwords for service accounts within IIS. This would make this tool a s have for sys admin. We currently use a script that will audit were the accounts are and a script to change password but having the GUI interface for it would be nice.
Hi,
At the moment no it only supports scheduled tasks and windows services, not IIS app pools. However this is something that will hopefully be added in the future.
Thanks
Chris