(Man, Tony's gonna get really mad at me for being so continuously off-topic. :-) But this is my "List full of really smart people", so I keep coming to you guys for non-AD-specific stuff that I can't figure out.)
Scenario: I work for a major university, and each fall we offer Back-to-School sales of pre-configured hardware for our incoming students. For the truckload sale each year, a CFI image is offered to the university community on both laptops and desktops that are sold at the annual back to school sale. The images are developed for recent Dell and IBM product lines, and are based on the vendor's OEM image of Windows XP, with university-specific applications pre-installed and patched with the latest security updates. This year, there is a strong push in the university IT community to have an additional layer of security-related configuration. We would like to see our hard drive images include secure Administrator password policies implemented and enforced, while still offering the end-user a simple, user-friendly "out of the box" experience during mini-Setup through a re-sealing process using Sysprep. A late-in-the-game attempt last year to combine such policies with the Sysprep process produced a less than viable, not user-friendly experience, which was ultimately scrapped. Consequently, last year's back-to-school images were built with only optional Administrator passwords. (Unfortunately, our back-to-school Sysprep image needs to be ready before XPSP2 will be released to market.) The key question here is: Is it possible to create an image that mandates an Administrator password and employs MS's strong password rules? Further, is it possible to have these settings maintained after running Sysprep to ensure that anyone buying a machine with that image would have the same "mini-Setup" experience as a person buying an OEM (non-University-imaged) machine, with the one key difference being that the imaged machine required a strong Admin password during setup? One solution that was suggested (*waves to Brian Desmond*) was the one that should be the most obvious: set a password policy in the Local Security Policy that will get burned in and persist syspreps. This works to a point; for accounts other than the actual Administrator account, you can force this using the Local Password Policy. However, for the Administrator account itself, the person setting up the machine has the option of cancelling out and never obeying the "order" to create a new, strong password. Am I missing something blindingly obvious? ********************************************* Laura E. Hunter MCT, MCSE: Security, MVP - Windows Networking Senior IT Specialist University of Pennsylvania ******************************************** This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email, destroy all copies of the original message, and repent! Repent! Any views expressed in this email message, well-informed and intellectually unassailable as they may be, are those of the individual sender except where the sender specifically states them to be the views of Student Financial Services. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
