Two things you have to be comfortable with for that solution: o- You have to extend the AD Schema o- The passwords are in plain text in the new AD attribute that stores the password
If you screw up either one, you've got a problem. I would guess that extending the schema is the one that will make most people most uncomfortable, although personally I'd be most concerned with making sure or (and documenting the whys and wherefores thoroughly for successors) the security settings on the new attributes. Kurt On Mon, Jan 26, 2015 at 8:16 AM, Doug Barrett <[email protected]> wrote: > Just my $.02, I recommend this solution for local admin password management, > AD integrated: > https://code.msdn.microsoft.com/Solution-for-management-of-ae44e789 > > How-to guide here: > http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx > > We ran into the situation where we could no longer modify the group policy > assigned local passwords and this worked perfectly in place of it. Passwords > are random and automatically changed and stored in AD in an attribute of the > computer account. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Michael B. Smith > Sent: Monday, January 26, 2015 8:48 AM > To: [email protected] > Subject: RE: [NTSysADM] Local password managment. > > Thanks for the information. That also makes it a non-starter for me and my > clients. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Kurt Buff > Sent: Friday, January 23, 2015 6:51 PM > To: [email protected] > Subject: Re: [NTSysADM] Local password managment. > > After looking at the docs, this was developed on Linux, and probably performs > best there. You can install it on Windows (and there are directions on how to > do that), but that means installing Ruby and ancillary gems. > > While I personally/professionally have no problem with either option > (Windows/Linux), it's not something that's going to go well in my > environment, where anything non-commercial and non-standard Windows is > frowned upon. Under different circumstances, I'd implement and test this > immediatelly. > > I think the SANS solution could be much improved (usability is lacking for > those who don't like command line interactions - it would be vastly improved > if it were fronted with a web interface, and the passwords stored in a > database), but it looks like the better alternative for $JOB at this point. > (for reference: > http://cyber-defense.sans.org/blog/2013/08/01/reset-local-administrator-password-automatically-with-a-different-password-across-the-enterprise) > > Kurt > > On Thu, Jan 22, 2015 at 8:11 AM, Kennedy, Jim <[email protected]> > wrote: >> New open source system to change and manage local passwords on desktops. >> Written by one of my kids employee’s. >> >> >> >> https://www.trustedsec.com/january-2015/introducing-ships-centralized- >> local-password-management-windows/ >> >> > > > -- > *** Pomp's SpamFilter identified this as CLEAN. Give feedback: > *** This is SPAM: http://smtp.pompstire.com/ms?k=.7wVzSOwseCg > *** More options: http://smtp.pompstire.com/md?k=.7wVzSOwseCg
