Warning: While this script is from Microsoft it clearly states that in no way shape or form is it actually support so the following is to be used at your own risk. Recap: Group Policy Preferences saves the “cPassword” value in Active Directory System Volume in files that are readable by all users and with the same 32bit encryption password. Saving the password in a text file might not sound all that secure however it is a lot more secure than using Group Policy Preferences. This is of course necessary to give added protection against anyone that “might” grab a copy of the password file as it means they would also have to know the encryption password to decrypt the password value. Next, it then saves this password to a file that can/should be encrypted with a “master password” of your choosing. Note: Because the computer’s need to be turned on for it to reset the passwords so you may have to perform this process on a regular basis to ensure that you cover all computers. Simply put, this PowerShell script contacts each computer over the network from a pre-defined list and then set the local account password to a random value. This is a nice side affect of setting a unique password as you cannot use the hash of one local admin account to access another computer. The PowerShell script that Microsoft provides generates a unique random password for each compute so it’s also a mitigation step against a Pass-the-Hash attacks. If this ever gets you into tight water and you need to logon to the computer you can still follow my other blog post to logon to the computer (see How to enable a disabled Local Administrator account offline in Windows 7 (even when using BitLocker)īut, if you are using local admin accounts on your workstations then the following will give you an alternative to using the now disabled password feature in Group Policy Preferences. TIP: Before starting remember that it is entirely practical to have an SOE with no local admin accounts enabled at all. This blog post show you how you can use this script (bad word, I know) to manage the passwords of local accounts on the computers in your organisation. However as part of the guidance they have also published a PowerShell script that allows you to set a random password to the user local admin account. As per my previous blog post Microsoft has release MS14-025 that blocks the ability to configure passwords using Group Policy Preferences.
0 kommentar(er)
