Change local administrator password ? through GPO or push script ?

Discussion:

(too old to reply)

Pascal

2007-04-21 15:29:44 UTC

Hi,

I would like to change the local administrator password of every computers member of my AD domain but I am not sure of the best method.

Method 1 : Create a vbs script that points to the local computer (".") and then deploy this script by GPO.
Problem : The password is not encrypted at all and could be potentially read by any users. The solution to encrypt in vbe is not a solution neither because, as far as I know, it is quite easy to decrypt it.

Method 2 : A script executed by an administrator that scan computers accounts on the domain and then "push" the new password to them.
Problem : If a computer is not connected when the admin launch the script, the old password will still remain.

To my opinion, the first method could be the best solution (less administrative effort) if I found a way to secure the script.

What method are you using ? Do you have any advices ? :D

Thank you

--
Pascal

abckid

2007-04-21 15:42:00 UTC

Permalink

Hi,

You good good solutions. Can you post the scipt for me please ?

thanks,

abckid.

Post by Pascal
Hi,
I would like to change the local administrator password of every computers member of my AD domain but I am not sure of the best method.
Method 1 : Create a vbs script that points to the local computer (".") and then deploy this script by GPO.
Problem : The password is not encrypted at all and could be potentially read by any users. The solution to encrypt in vbe is not a solution neither because, as far as I know, it is quite easy to decrypt it.
Method 2 : A script executed by an administrator that scan computers accounts on the domain and then "push" the new password to them.
Problem : If a computer is not connected when the admin launch the script, the old password will still remain.
To my opinion, the first method could be the best solution (less administrative effort) if I found a way to secure the script.
What method are you using ? Do you have any advices ? :D
Thank you
--
Pascal

Adam

2007-04-21 17:00:41 UTC

Permalink

cusermgr.exe from the resource kit will do the password change for
Method 2 without needing scripting for the change (just iterating
computer accounts)

There is a suggestion for Method 1 at
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/optimize/startw2k.mspx
that includes securing the new password file so users can't read it.

Post by Pascal
Hi,
I would like to change the local administrator password of every
computers member of my AD domain but I am not sure of the best method.
*Method 1* : Create a vbs script that points to the local computer (".")
and then deploy this script by GPO.
_/Problem/_ : The password is not encrypted at all and could be
potentially read by any users. The solution to encrypt in vbe is not a
solution neither because, as far as I know, it is quite easy to decrypt it.
*Method 2* : A script executed by an administrator that scan computers
accounts on the domain and then "push" the new password to them.
_/Problem/_ : If a computer is not connected when the admin launch the
script, the old password will still remain.
To my opinion, the first method could be the best solution (less
administrative effort) if I found a way to secure the script.
What method are you using ? Do you have any advices ? :D
Thank you
--
Pascal

Richard Mueller [MVP]

2007-04-21 17:35:29 UTC

Permalink

Pascal wrote:

I would like to change the local administrator password of every computers
member of my AD domain but I am not sure of the best method.

Method 1 : Create a vbs script that points to the local computer (".") and
then deploy this script by GPO.
Problem : The password is not encrypted at all and could be potentially read
by any users. The solution to encrypt in vbe is not a solution neither
because, as far as I know, it is quite easy to decrypt it.

Method 2 : A script executed by an administrator that scan computers
accounts on the domain and then "push" the new password to them.
Problem : If a computer is not connected when the admin launch the script,
the old password will still remain.

To my opinion, the first method could be the best solution (less
administrative effort) if I found a way to secure the script.

What method are you using ? Do you have any advices ? :D

---------------
I much prefer method 2.

Method 1 makes it hard to not expose the password. Anyone can read and copy
the script. Also, you need a way to tell if the password has already been
changed, not just so you don't perform the operation repeatedly, but so you
know when to remove the code from the script. You may never know when the
password was changed (and thus what the password is) unless you have some
logging function. In fact, you need to know if a computer is never used.

Method 2 gets it done at once, but you need to have the script log which
computers did or did not get the update. You repeatedly run the script on
the computers that were not available before, until all have the password
changed. Ask people to leave computers on and run the script at night. Run
it every day until all get the update. If a few remain, maybe they are never
used. The tracking required seems easier for one bulk script, than for a
startup script.

One point. The GPO script should be a startup script. Maybe you can give
Domain Computers permissions for the script, but deny all permissions to
Domain Users. However, I have heard that hackers can gain System privileges.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

Pascal

2007-04-21 18:50:30 UTC

Permalink

Post by Pascal
I would like to change the local administrator password of every computers
member of my AD domain but I am not sure of the best method.
Method 1 : Create a vbs script that points to the local computer (".") and
then deploy this script by GPO.
Problem : The password is not encrypted at all and could be potentially read
by any users. The solution to encrypt in vbe is not a solution neither
because, as far as I know, it is quite easy to decrypt it.
Method 2 : A script executed by an administrator that scan computers accounts
on the domain and then "push" the new password to them.
Problem : If a computer is not connected when the admin launch the script,
the old password will still remain.
To my opinion, the first method could be the best solution (less
administrative effort) if I found a way to secure the script.
What method are you using ? Do you have any advices ? :D
---------------
I much prefer method 2.
Method 1 makes it hard to not expose the password. Anyone can read and copy
the script. Also, you need a way to tell if the password has already been
changed, not just so you don't perform the operation repeatedly, but so you
know when to remove the code from the script. You may never know when the
password was changed (and thus what the password is) unless you have some
logging function. In fact, you need to know if a computer is never used.
Method 2 gets it done at once, but you need to have the script log which
computers did or did not get the update. You repeatedly run the script on the
computers that were not available before, until all have the password
changed. Ask people to leave computers on and run the script at night. Run it
every day until all get the update. If a few remain, maybe they are never
used. The tracking required seems easier for one bulk script, than for a
startup script.
One point. The GPO script should be a startup script. Maybe you can give
Domain Computers permissions for the script, but deny all permissions to
Domain Users. However, I have heard that hackers can gain System privileges.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

Thank you both for your answers!

I think too that Method 1 is less secure but more easy for an admin.
Actually a lot of old machine accounts are still enabled in AD but no
more connected (I am not the admin) so the script of the Method 2 will
be quite complicated.

It's a good idea to change the security on the script to give only read
access to Domain Computers. I think the hole of this security is that
the computer account password is quite easy to crack through LSA cache
so...

For information, about admin password versionning, I will make a script
that modify an attribute in Active Directory.
Then a condition at the beginning of the script will read this
attribute and will know what to do.
This attribute will permit to know wich admin password is configured
for this machine (because we are planning to change the local admin
password every year) .

The password change will affect approximatively 1000 computers (the
script will create log entries for every computers)

If I finally choose the Method 1, Anybody knows a method to make high
encryption on a vbs (or other) ?

Thank you

--
Pascal

Myweb

2007-04-21 20:40:00 UTC

Permalink

Hello Pascal,

Maybe try this one. Create a batch file pass.bat (or whatever) with the content

net user administrator %1 (%1 describes the first entry in the parameter
field)

OR

net user %1 %2 (you also can use %1 %2 and add "Username Password" in the
parameter field (be aware of the space))

Add this file via GPO to the Default domain policy>Computer configuration>Windows
settings>Scripts, STARTUP script and set the parameter with the new parameters
you like to use. At the next time the workstation starts up in the domain
the local admin password get changed.
The password will only be visible for your domain admins not for the normal
user even if he has adminpak installed. The GPO he can not open as a normal
user.

Best regards

Myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

Post by Pascal
Hi,
I would like to change the local administrator password of every
computers member of my AD domain but I am not sure of the best method.
Method 1 : Create a vbs script that points to the local computer (".")
and then deploy this script by GPO.
Problem : The password is not encrypted at all and could be
potentially read by any users. The solution to encrypt in vbe is not a
solution neither because, as far as I know, it is quite easy to
decrypt it.
Method 2 : A script executed by an administrator that scan computers
accounts on the domain and then "push" the new password to them.
Problem : If a computer is not connected when the admin launch the
script, the old password will still remain.
To my opinion, the first method could be the best solution (less
administrative effort) if I found a way to secure the script.
What method are you using ? Do you have any advices ? :D
Thank you

Pascal

2007-04-21 21:34:47 UTC

Permalink

Post by Myweb
Hello Pascal,
Maybe try this one. Create a batch file pass.bat (or whatever) with the content
net user administrator %1 (%1 describes the first entry in the parameter
field)
OR
net user %1 %2 (you also can use %1 %2 and add "Username Password" in the
parameter field (be aware of the space))
Add this file via GPO to the Default domain policy>Computer
configuration>Windows settings>Scripts, STARTUP script and set the parameter
with the new parameters you like to use. At the next time the workstation
starts up in the domain the local admin password get changed.
The password will only be visible for your domain admins not for the normal
user even if he has adminpak installed. The GPO he can not open as a normal
user.
Best regards
Myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

Hi Myweb,

indeed it could be a nice idea !
I will try on Monday to see if there is no way for a user to bypass
this and let him see the parameters defined with the GPO !
I will let you know ;)

--
Pascal

Myweb

2007-04-21 21:41:28 UTC

Permalink

Hello Pascal,

Should work. Even if he finds the batch file via network neighborhood it
will only provide %1 %2 and he can not really use this. We use in in our
environment 350 user without any problem. And also the password change is
very easy, only changing the parameter, that's all.

Best regards

Myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

Post by Pascal

Post by Myweb
Hello Pascal,
Maybe try this one. Create a batch file pass.bat (or whatever) with the content
net user administrator %1 (%1 describes the first entry in the
parameter field)
OR
net user %1 %2 (you also can use %1 %2 and add "Username Password" in
the parameter field (be aware of the space))
Add this file via GPO to the Default domain policy>Computer
configuration>Windows settings>Scripts, STARTUP script and set the parameter
with the new parameters you like to use. At the next time the
workstation
starts up in the domain the local admin password get changed.
The password will only be visible for your domain admins not for the normal
user even if he has adminpak installed. The GPO he can not open as a normal
user.
Best regards
Myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

Hi Myweb,
indeed it could be a nice idea !
I will try on Monday to see if there is no way for a user to bypass
this and let him see the parameters defined with the GPO !
I will let you know ;)

Pascal

2007-04-23 13:52:39 UTC

Permalink

Post by Myweb
Hello Pascal,
Should work. Even if he finds the batch file via network neighborhood it will
only provide %1 %2 and he can not really use this. We use in in our
environment 350 user without any problem. And also the password change is
very easy, only changing the parameter, that's all.
Best regards
Myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

Post by Pascal

Post by Myweb
Hello Pascal,
Maybe try this one. Create a batch file pass.bat (or whatever) with the content
net user administrator %1 (%1 describes the first entry in the
parameter field)
OR
net user %1 %2 (you also can use %1 %2 and add "Username Password" in
the parameter field (be aware of the space))
Add this file via GPO to the Default domain policy>Computer
configuration>Windows settings>Scripts, STARTUP script and set the parameter
with the new parameters you like to use. At the next time the workstation
starts up in the domain the local admin password get changed.
The password will only be visible for your domain admins not for the normal
user even if he has adminpak installed. The GPO he can not open as a normal
user.
Best regards
Myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

Hi Myweb,
indeed it could be a nice idea !
I will try on Monday to see if there is no way for a user to bypass
this and let him see the parameters defined with the GPO !
I will let you know ;)

I don't test yet but I think there is a problem.
Indeed, I will check, but startup script parameters are sent in clear
text through the network so ... quite easy to find :D

--
Pascal

Myweb

2007-04-24 14:07:43 UTC

Permalink

Hello Pascal,

Did some testing and you are right, it is sended in clear text to the workstation.
I will change my way of deploying the password.

Best regards

Myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

Post by Pascal

Post by Myweb
Hello Pascal,
Should work. Even if he finds the batch file via network neighborhood
it will only provide %1 %2 and he can not really use this. We use in
in our environment 350 user without any problem. And also the
password change is very easy, only changing the parameter, that's
all.
Best regards
Myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

Post by Pascal

Post by Myweb
Hello Pascal,
Maybe try this one. Create a batch file pass.bat (or whatever) with the content
net user administrator %1 (%1 describes the first entry in the
parameter field)
OR
net user %1 %2 (you also can use %1 %2 and add "Username Password"
in the parameter field (be aware of the space))
Add this file via GPO to the Default domain policy>Computer
configuration>Windows settings>Scripts, STARTUP script and set the parameter
with the new parameters you like to use. At the next time the workstation
starts up in the domain the local admin password get changed.
The password will only be visible for your domain admins not for
the
normal
user even if he has adminpak installed. The GPO he can not open as
a
normal
user.
Best regards
Myweb
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.

Hi Myweb,
indeed it could be a nice idea !
I will try on Monday to see if there is no way for a user to bypass
this and let him see the parameters defined with the GPO !
I will let you know ;)

I don't test yet but I think there is a problem.
Indeed, I will check, but startup script parameters are sent in clear