Here's another, slightly more complicated idea:
1. Create a database that maps passwords to computer names 2. Create a web service that exposes the passwords 3. Restrict the web service to be accessible only to Domain Computer accounts 4. Enable SSL on the web service 5. Deploy a PowerShell script that: a. Accesses the web service and pulls down the appropriate password b. Creates local user account c. Sets password Using this method, the passwords are never deployed onto the target systems. The PowerShell script is simply implementing the logic of creating the user account and setting its password. Plus, you can have unique passwords for each system, to avoid compromising all of your systems, when a user is given the password for his system. You can re-run the script as often as necessary, so as to ensure that the password of the local account matches the one in the central database. NOTE: There are vendors that offer pre-packaged tools that perform similar tasks. Cheers, Trevor Sullivan Microsoft PowerShell MVP From: [email protected] [mailto:[email protected]] On Behalf Of Daniel Ratliff Sent: Wednesday, June 18, 2014 1:36 PM To: [email protected] Subject: [mssms] RE: Create Local User on all Domain Computers PowerShell. You can create a password as a secure string, put that in your script and then decode it to set the password for the user. Daniel Ratliff From: [email protected] [mailto:[email protected]] On Behalf Of Gary Ossewaarde Sent: Wednesday, June 18, 2014 2:32 PM To: [email protected] Subject: [mssms] Create Local User on all Domain Computers Due to an out-of-town user not being able to access his account (something strange happened with the cached creds), I've been asked to create a local (non-admin) account on all domain-joined machines so in such cases, helpdesk can provide this local account username/password and they can login, setup VPN, and switch user. I can easily do this with a batch file (net user) but have the added requirement the password does not appear in plaintext on the system (e.g., in the ccmcache). Any good ways of doing this? Additionally, is it a best practice to disable and randomize the Administrator account's password (as possible in OSD) and have a separate local admin, named differently? What are other people doing? Thanks, Gary The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information.
