I used to store the password in the batch file before I got my brains bashed out on this list. So, I went back and store the password in a DB, read it on the fly from a vbs and pass it onto bat. What's taking you guys so long to give us a more elegant solution for this "must-have"? Until you do, all we have is crud and we balance the security of the implementation against the URGENT need for this feature. If you are savvy enough to fire up a sniffer to get the info or know where to go to get it raw, you are more than a casual threat as far as I'm concerned. In that situation, I'll let HR deal with you as soon as I find out (IF I find out). How does MS IT do it? Sincerely,
D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Eric Fleischman Sent: Wed 5/4/2005 12:09 PM To: [email protected] Subject: RE: [ActiveDir] GPO not applied - thinks it is empty If I could ask what might be the obvious, from a security perspective.... If you have a policy out there resetting the local admin password, how are you storing the new password in the script? Hopefully you have something very clever in place, else I can get the local admin password out of your policy in so many ways: * If you didn't consider this at all, I bet the policy is ACLd with AU having read, so I can just read it out with notepad. * If you were clever enough to acl the policy so that only the machine accounts can read it, I could own a machine (perhaps I already do....perhaps I am in the local admins group on one of the boxes, because it is _my machine_) and just open the policy while impersonating the machine. Or get the machine to do it for me (since I own it, I can make it do my bidding). * <etc> And if you haven't taking precautions, you should assume local admin on any machine with this password is local admin on them all. For it only takes one bad apple to spoil the whole bushel. ~Eric ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, May 04, 2005 11:11 AM To: [email protected] Subject: RE: [ActiveDir] GPO not applied - thinks it is empty Thanks Darren- I ran the gpotool as you suggested. As part of the output I am told: Error: ServerName1 - Servername2 sysvol mismatch AND DC: Server2 Friendly name: server2 Created: 10/7/2004 Changed: 5-4-2005 5:34 pm DS Version 0<users> 37<machine> Sysvol: 0<user> 37<machine> Flags: 0 User extensions: not found Machine extensions: ..... Functionality version: 2 All fo the functionality versions are 2. Thanks, Brenda ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, May 04, 2005 9:44 AM To: [email protected] Subject: RE: [ActiveDir] GPO not applied - thinks it is empty Brenda- This usually means that the client is looking at the GPO's version number and it is showing up as 0 for computer revisions (in other words, it doesn't think any computer policy has been set in that GPO). Run gpotool.exe (from Win2K reskit or part of XP and 2003) against your DCs and see if any of them show a revision number of 0 for the computer side of the GPO containing your script. This could still mean that you have some issues with sysvol replication. Essentially, there is a file called gpt.ini that is stored with the GPO in sysvol on each DC. This file contains a version number that lists how many changes were made to the computer and user sides of a GPO. That version should be the same as the version of that GPO held on the versionNumber attribute of the GPC object in AD. If there are discrepancies, then gpotool will tell you. Darren ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, May 04, 2005 7:21 AM To: [email protected] Subject: [ActiveDir] GPO not applied - thinks it is empty I am no longer having replication issues on any servers, however, now when I run gpresult I am told that my gpo was not applied because it is empty. I can manually open the GPO and see my startup script is there. Thanks, Brenda ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Tuesday, May 03, 2005 3:04 PM To: [email protected] Subject: [ActiveDir] administrator password change in Startup script in GPO I have created a startup script to change my administrator password on specific machines as part of my group policy. These computers are part of a group, I have applied the policy to this group, and set the security permissions appropriately. When I run gpupdate on the pc, I get no error in the Event log, but when I restart the machine, the administrator account password has not been changed. I have run replmon.exe and have found that 1 dc (out of 30) is not replicating, as it is out of hard drive space on c:. Could 1 out of 30 dc's be causing the problem, or is there something else I am missing? How long should it take, before the policy takes effect? Thanks, Brenda List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
