Edit: That would be "sure of", not "sure or" Kurt
On Mon, Jan 26, 2015 at 10:38 AM, Kurt Buff <[email protected]> wrote: > Two things you have to be comfortable with for that solution: > > o- You have to extend the AD Schema > o- The passwords are in plain text in the new AD attribute that stores > the password > > If you screw up either one, you've got a problem. I would guess that > extending the schema is the one that will make most people most > uncomfortable, although personally I'd be most concerned with making > sure or (and documenting the whys and wherefores thoroughly for > successors) the security settings on the new attributes. > > Kurt > > On Mon, Jan 26, 2015 at 8:16 AM, Doug Barrett <[email protected]> wrote: >> Just my $.02, I recommend this solution for local admin password management, >> AD integrated: >> https://code.msdn.microsoft.com/Solution-for-management-of-ae44e789 >> >> How-to guide here: >> http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx >> >> We ran into the situation where we could no longer modify the group policy >> assigned local passwords and this worked perfectly in place of it. >> Passwords are random and automatically changed and stored in AD in an >> attribute of the computer account. >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] >> On Behalf Of Michael B. Smith >> Sent: Monday, January 26, 2015 8:48 AM >> To: [email protected] >> Subject: RE: [NTSysADM] Local password managment. >> >> Thanks for the information. That also makes it a non-starter for me and my >> clients. >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] >> On Behalf Of Kurt Buff >> Sent: Friday, January 23, 2015 6:51 PM >> To: [email protected] >> Subject: Re: [NTSysADM] Local password managment. >> >> After looking at the docs, this was developed on Linux, and probably >> performs best there. You can install it on Windows (and there are directions >> on how to do that), but that means installing Ruby and ancillary gems. >> >> While I personally/professionally have no problem with either option >> (Windows/Linux), it's not something that's going to go well in my >> environment, where anything non-commercial and non-standard Windows is >> frowned upon. Under different circumstances, I'd implement and test this >> immediatelly. >> >> I think the SANS solution could be much improved (usability is lacking for >> those who don't like command line interactions - it would be vastly improved >> if it were fronted with a web interface, and the passwords stored in a >> database), but it looks like the better alternative for $JOB at this point. >> (for reference: >> http://cyber-defense.sans.org/blog/2013/08/01/reset-local-administrator-password-automatically-with-a-different-password-across-the-enterprise) >> >> Kurt >> >> On Thu, Jan 22, 2015 at 8:11 AM, Kennedy, Jim <[email protected]> >> wrote: >>> New open source system to change and manage local passwords on desktops. >>> Written by one of my kids employee’s. >>> >>> >>> >>> https://www.trustedsec.com/january-2015/introducing-ships-centralized- >>> local-password-management-windows/ >>> >>> >> >> >> -- >> *** Pomp's SpamFilter identified this as CLEAN. Give feedback: >> *** This is SPAM: http://smtp.pompstire.com/ms?k=.7wVzSOwseCg >> *** More options: http://smtp.pompstire.com/md?k=.7wVzSOwseCg
