Re: How can I change the admin password of all our XP PC's on the doma
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Tue, 23 Oct 2007 23:36:42 +0100
Passwords stored locally in the SAM databse are very easy to crack, and
there are many tools that do this in seconds, so changing the name or
password won't do any good because:
- You don't go to each workstation and check if that user changed the local
admin password.
- These tools generally present you all existing accounts and it's easy to
identify which one is the one.
- Some of these tools are also able to enable a disabled account...
So security..... it's a matter of time...
;)
--
===================================
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
===================================
"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:uCFU6McFIHA.4712@xxxxxxxxxxxxxxxxxxxxxxx
My absolute favorite Jorge!
I believe that for a domain joined workstation, disable the local admin
account. It's cheaper in the long run.
You'll have people who'll rile against this, but when you check it out,
it's a viable option.
Makes sure user data is redirected to file servers and backed up. If the
box has a problem (usually network related e.g. issues with drivers) that
means you can't use a domain admin account to logon, it is usually quicker
to rebuild than troubleshoot.
Laptops will present special requirements that may make you want to bend
the rules for them but I think the idea of disabling the local admin
account has its merits.
Regards,
Austin
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:ea28U0bFIHA.1184@xxxxxxxxxxxxxxxxxxxxxxx
Cyborg, I don't think that you should spend money on any kind of software
to do what you want.
If you want to control the Local Administrators on the workstations, just
disable the Local Administrator (you can do this using GPO, as I already
mentioned before), and then use another GPO or Script that adds a
existing security group in your AD as member of the local Administrators
on the workstations.
To finish, add only the users that you think that should be members of
local administrators on the workstations.
--
===================================
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
===================================
"Cyborg" <andrewwhite@xxxxxxxxxxxxxx> wrote in message
news:F475B711-F46F-4167-A11C-306F61642FFD@xxxxxxxxxxxxxxxx
Is there a command line method to reset it as we can get LANDesk to run
the script against any PC?
"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:uWj98ZZFIHA.5272@xxxxxxxxxxxxxxxxxxxxxxx
My point exactly!
Because of the complexities involved, people sell you Enterprise Class
software that helps you address the issues.
For example: http://www.liebsoft.com/index.cfm/products?id=378
Hence my initial statement that it's not an exactly straight forward or
cheap to fix this.
Regards,
Austin
"Cyborg" <andrewwhite@xxxxxxxxxxxxxx> wrote in message
news:FA163985-AED2-443D-9F67-DF8A53A6287C@xxxxxxxxxxxxxxxx
How exactly do you manage it then?
"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:EE51F3C3-B622-4BE0-A6AA-E91B3D1CBF3A@xxxxxxxxxxxxxxxx
And, if you rename the account, the users you want not to have the
credentials can't tell that the admin account has been renamed by
looking in computer management or asking some other friendly admin?
Remember, your former passwords got shared. "Root cause" is still
there.
If you also have a lock down policy so these computers can only be
used for certain purposes and users do not install anything on their
machines, you have a way out.
But from my experience, if you have a large enough set of users, and
Admins (they are also part of this problem), you need to Actively
manage local admin passwords. A rename is more "Security Theatre" in
the event of a credible threat because the SIDs what's gone after and
that wont change.
Regards,
Austin
"Cyborg" <andrewwhite@xxxxxxxxxxxxxx> wrote in message
news:A8195110-A9EB-49CD-89F7-C5A455D68247@xxxxxxxxxxxxxxxx
This looks like a quick fix for now?
http://support.microsoft.com/kb/816109
"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:yI8Ti.3953$TY4.3104@xxxxxxxxxxxxxxxxxxxxxxxx
Hi Cyborg,
You've got a problem thats really not very easy to solve (read
cheap).
You have this problem because it is the nature of all but the least
inquisitive of users to want to be admins on their workstations.
If you dont give the user accounts admin privilages, they go for
the local
admin account.
Now, your next problem is how do you manage the local admin
account? Do you
set the same one on all workstations?
If you do that, all that needs happen is one user finding out and
"word gets
around" or the document that "holds" the password gets into the
wrong hands.
Regular use of the password even makes it more insecure. Will you
change it
regularly on all workstations? A real procedural nightmare
depending on the
size of your estate.
If you have different passwords for different workstatins, how do
you
provide ready access to admins who require it?
Several home grown Apps exist which derive an admin password from
the
workstation name based on some algorithm but securing the tool
becomes the issue and usually, it doesnt take a rocket scientis to
reverse engineer them.
So you decide to pay for some Enterprise Class tool to do this for
you if especially you have thousands of boxes to visit. And there
companies out there who wite apps for just that.
As an example ( not a recomendation by any way, shape or form),
see: http://www.liebsoft.com/index.cfm/products?id=512.
HTH,
Austin
"Cyborg" <andrewwhite@xxxxxxxxxxxxxx> wrote in message
news:B3A473D8-D40D-4ED0-B3E8-4A034552684F@xxxxxxxxxxxxxxxx
Hi this is great, do I need to change anything in this script
apart form
the "testpassword"
I take it I can then add the script to the logon part of the
doamin group
policy?
"Simon" <Simon@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:55FB500B-675B-426B-9E75-F3954A30DA2B@xxxxxxxxxxxxxxxx
try this as part of a logon/startup script:
strComputer = "MyComputer"
Set objUser = GetObject("WinNT://" & strComputer &
"/Administrator,
user")
objUser.SetPassword "testpassword"
objUser.SetInfo
To make it more generic, you will need to set the script to get
the pc's
computer name before trying to change the password.
"Cyborg" wrote:
Somehow many of our users know the local admin password for our
XP
machines,
is there a way to change this on all PC's to something else,
like a
group
policy?
.
- Follow-Ups:
- References:
- How can I change the admin password of all our XP PC's on the domain?
- From: Cyborg
- Re: How can I change the admin password of all our XP PC's on the doma
- From: Cyborg
- Re: How can I change the admin password of all our XP PC's on the doma
- From: Austin Osuide
- Re: How can I change the admin password of all our XP PC's on the doma
- From: Cyborg
- Re: How can I change the admin password of all our XP PC's on the doma
- From: Austin Osuide
- Re: How can I change the admin password of all our XP PC's on the doma
- From: Cyborg
- Re: How can I change the admin password of all our XP PC's on the doma
- From: Austin Osuide
- Re: How can I change the admin password of all our XP PC's on the doma
- From: Cyborg
- Re: How can I change the admin password of all our XP PC's on the doma
- From: Jorge Silva
- Re: How can I change the admin password of all our XP PC's on the doma
- From: Austin Osuide
- How can I change the admin password of all our XP PC's on the domain?
- Prev by Date: Re: User Passwords and ADAm
- Next by Date: Re: Kiosk GPO
- Previous by thread: Re: How can I change the admin password of all our XP PC's on the doma
- Next by thread: Re: How can I change the admin password of all our XP PC's on the doma
- Index(es):
Relevant Pages
|
