Hi, My organization is running a domain at the 2k8 R2 functional level, and for the life of the organization, the IT department (myself included) has been undisciplined about not using the administrator account for certain tasks like software installation, printer installation, etc.
At this point in time, we are on the path to proving PCI compliance, and are running a SIEM. The other day, I created a rule to inform me whenever a successful logon attempt is made with the username "administrator", and left for the weekend.
The reason for the rule is to generate an alert whenever a generic logon is used (which violates best practices and PCI requirements).
I got back on Monday to find 10,000+ instances of such logins.
I'm assuming that the reason for this is that every time one of us used the administrator account for a software install, the credentials were cached, and are now being used for service accounts.
My question is:what is the most graceful way to begin eliminating these administrator logins without breaking everything?
I assume that if I'm not careful, I could break printing, our point of sale system, backups, etc...
Currently, I'm thinking that I could try to find these service accounts manually, then do what I can to change them, then change the administrator password and see what breaks (or leave for vacation).
This brings me to my followup question: Can someone point me in the direction of the best practices for managing service accounts on a windows domain?
Thanks in advance,
Kevin