You could perhaps base each machine's unique password on a hash of some sort of the computer's serial number/service tag information.
Phillip Partipilo Parametric Solutions Inc. Jupiter, Florida (561) 747-6107 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, January 31, 2006 1:24 PM To: [email protected] Subject: Re: [ActiveDir] Reset Local Admin Passwords It is hard to keep track of 1000 local machines and their administrator accounts and passwords. I go with the idea of keeping them the same. Just run scripts to change them regularly and have strong passwords. I like to script everything. You mean you wan to have 1000 different admin accounts and passwords store on a spreadsheet? What if the SID corrupts than what? You have to open the file, browse over the names and passwords, etc. and log in locally and rejoin the domain. They are just workstations. So if one or two got hacked.. you re-image them. User files and folders are store on a server right? Turn off file sharing to the clients, they don't need file sharing turn on. If you need to remotely access(Hyena, Dameware, etc) manage the workstations than enable the firewall, but only allow access to the clients from a single workstation IP, your machine or multiple IPs. This should be done thru GPO. Block out the 65000+ ports and allow only ports you need...Kerberos, AD Replication(forced), DNS, etc. -Z.V. >Okay, just to offer a counterpoint to your underlying plan - you do >realise that by using a single local admin password across your >enterprise, if even -one- of those workstations gets the admin password >compromised, the attacker who did so now has local admin rights to >every workstation on your network? With apologies to Jesper >Johannsen[1], it's one of those "How to get your network hacked in 10 >easy steps" things - if I've just compromised the local admin password >of WorkstationA, what do you think is going to be the very first >password I try when I move on to try and compromise WorkstationB? > > >[1] And additional apologies for the fact that I'm sure I just spelled >his name wrong. > >-- >----------------------- >Laura E. Hunter >Microsoft MVP - Windows Server Networking >Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
