Use passgen from Steve Riley and Jesper Johannson's new book. Allows you to change a pw for accounts on remote machines from one location. Also allows you to set the pw differently for each machine with no manual tracking. You use a pass phrase to hash for example the machine name plus an incrementer, and that creates a password of complexity and length that you set. We use this and it works well for us. I can change all the machines based on a text list of the machine names. If I need to change the pw on one machine, I change the incrementer and reset the pw. I don't need a spreadsheet of the pws; I can use passgen to tell me what it is anytime as long as I know the machine name, the incrementer, and the pass phrase used to hash. Keeping unique admin pws on multiple machines is no longer a hassle...
********************** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue > Sent: Tuesday, January 31, 2006 11:24 AM > To: [email protected] > Subject: Re: [ActiveDir] Reset Local Admin Passwords > > It is hard to keep track of 1000 local machines and their > administrator > accounts and passwords. I go with the idea of keeping them the same. > Just run scripts to change them regularly and have strong > passwords. I > like to script everything. You mean you wan to have 1000 > different admin > accounts and passwords store on a spreadsheet? What if the > SID corrupts > than what? You have to open the file, browse over the names and > passwords, etc. and log in locally and rejoin the domain. > They are just > workstations. So if one or two got hacked.. you re-image them. User > files and folders are store on a server right? > > Turn off file sharing to the clients, they don't need file > sharing turn > on. If you need to remotely access(Hyena, Dameware, etc) manage the > workstations than enable the firewall, but only allow access to the > clients from a single workstation IP, your machine or > multiple IPs. This > should be done thru GPO. Block out the 65000+ ports and allow > only ports > you need...Kerberos, AD Replication(forced), DNS, etc. > > -Z.V. > > > > >Okay, just to offer a counterpoint to your underlying plan - you do > >realise that by using a single local admin password across your > >enterprise, if even -one- of those workstations gets the admin > >password compromised, the attacker who did so now has local admin > >rights to every workstation on your network? With apologies > to Jesper > >Johannsen[1], it's one of those "How to get your network hacked in 10 > >easy steps" things - if I've just compromised the local > admin password > >of WorkstationA, what do you think is going to be the very first > >password I try when I move on to try and compromise WorkstationB? > > > > > >[1] And additional apologies for the fact that I'm sure I > just spelled > >his name wrong. > > > >-- > >----------------------- > >Laura E. Hunter > >Microsoft MVP - Windows Server Networking > >Author: _Active Directory Consultant's Field Guide_ > (http://tinyurl.com/7f8ll) > >List info : http://www.activedir.org/List.aspx > >List FAQ : http://www.activedir.org/ListFAQ.aspx > >List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
