Re: Change local administrator password ? through GPO or push script ?
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 21 Apr 2007 12:35:29 -0500
Pascal wrote:
I would like to change the local administrator password of every computers
member of my AD domain but I am not sure of the best method.
Method 1 : Create a vbs script that points to the local computer (".") and
then deploy this script by GPO.
Problem : The password is not encrypted at all and could be potentially read
by any users. The solution to encrypt in vbe is not a solution neither
because, as far as I know, it is quite easy to decrypt it.
Method 2 : A script executed by an administrator that scan computers
accounts on the domain and then "push" the new password to them.
Problem : If a computer is not connected when the admin launch the script,
the old password will still remain.
To my opinion, the first method could be the best solution (less
administrative effort) if I found a way to secure the script.
What method are you using ? Do you have any advices ? :D
---------------
I much prefer method 2.
Method 1 makes it hard to not expose the password. Anyone can read and copy
the script. Also, you need a way to tell if the password has already been
changed, not just so you don't perform the operation repeatedly, but so you
know when to remove the code from the script. You may never know when the
password was changed (and thus what the password is) unless you have some
logging function. In fact, you need to know if a computer is never used.
Method 2 gets it done at once, but you need to have the script log which
computers did or did not get the update. You repeatedly run the script on
the computers that were not available before, until all have the password
changed. Ask people to leave computers on and run the script at night. Run
it every day until all get the update. If a few remain, maybe they are never
used. The tracking required seems easier for one bulk script, than for a
startup script.
One point. The GPO script should be a startup script. Maybe you can give
Domain Computers permissions for the script, but deny all permissions to
Domain Users. However, I have heard that hackers can gain System privileges.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
.
- Follow-Ups:
- References:
- Prev by Date: Re: Change local administrator password ? through GPO or push script ?
- Next by Date: Re: AD User multiple logons on domain
- Previous by thread: Re: Change local administrator password ? through GPO or push script ?
- Next by thread: Re: Change local administrator password ? through GPO or push script ?
- Index(es):
Relevant Pages
|
