Re: Change local administrator password ? through GPO or push script ?
- From: Pascal <pascal_t@xxxxxxxxxxxxxxxxxx>
- Date: Sat, 21 Apr 2007 20:50:30 +0200
Pascal wrote:
I would like to change the local administrator password of every computers member of my AD domain but I am not sure of the best method.
Method 1 : Create a vbs script that points to the local computer (".") and then deploy this script by GPO.
Problem : The password is not encrypted at all and could be potentially read by any users. The solution to encrypt in vbe is not a solution neither because, as far as I know, it is quite easy to decrypt it.
Method 2 : A script executed by an administrator that scan computers accounts on the domain and then "push" the new password to them.
Problem : If a computer is not connected when the admin launch the script, the old password will still remain.
To my opinion, the first method could be the best solution (less administrative effort) if I found a way to secure the script.
What method are you using ? Do you have any advices ? :D
---------------
I much prefer method 2.
Method 1 makes it hard to not expose the password. Anyone can read and copy the script. Also, you need a way to tell if the password has already been changed, not just so you don't perform the operation repeatedly, but so you know when to remove the code from the script. You may never know when the password was changed (and thus what the password is) unless you have some logging function. In fact, you need to know if a computer is never used.
Method 2 gets it done at once, but you need to have the script log which computers did or did not get the update. You repeatedly run the script on the computers that were not available before, until all have the password changed. Ask people to leave computers on and run the script at night. Run it every day until all get the update. If a few remain, maybe they are never used. The tracking required seems easier for one bulk script, than for a startup script.
One point. The GPO script should be a startup script. Maybe you can give Domain Computers permissions for the script, but deny all permissions to Domain Users. However, I have heard that hackers can gain System privileges.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
Thank you both for your answers!
I think too that Method 1 is less secure but more easy for an admin.
Actually a lot of old machine accounts are still enabled in AD but no more connected (I am not the admin) so the script of the Method 2 will be quite complicated.
It's a good idea to change the security on the script to give only read access to Domain Computers. I think the hole of this security is that the computer account password is quite easy to crack through LSA cache so...
For information, about admin password versionning, I will make a script that modify an attribute in Active Directory.
Then a condition at the beginning of the script will read this attribute and will know what to do.
This attribute will permit to know wich admin password is configured for this machine (because we are planning to change the local admin password every year) .
The password change will affect approximatively 1000 computers (the script will create log entries for every computers)
If I finally choose the Method 1, Anybody knows a method to make high encryption on a vbs (or other) ?
Thank you
--
Pascal
.
- References:
- Change local administrator password ? through GPO or push script ?
- From: Pascal
- Re: Change local administrator password ? through GPO or push script ?
- From: Richard Mueller [MVP]
- Change local administrator password ? through GPO or push script ?
- Prev by Date: Re: AD User multiple logons on domain
- Next by Date: Re: ADMT and SID's
- Previous by thread: Re: Change local administrator password ? through GPO or push script ?
- Next by thread: Re: Change local administrator password ? through GPO or push script ?
- Index(es):
Relevant Pages
|
