Damn...and I used to be cool, for a day. How big is this risk in reality? A casual user won't be perusing Sysvol, and they'll be even less casual if they can figure out how to get at the password. I, for one, have no idea how I would get at the password, although I imagine even a mediocre hacker would?
What about having the GPO run for a week and then killing (deleting, or disabling then changing the GPP password) the GPO? This should be secure enough for servers, as a user would have to be snooping the week we had the GPO in use, but I set our workstation local admin accounts this way as well. Since we do have standard builds perhaps I can do the same as servers and activate the GPO for a week whenever we want to change it? With PC's that will leave some leakers though... Going forward, if I don't want to use GPP (and it looks like I don't), how can I accomplish a centrally managed local admin password in a secure manner? I don't want to rely on the machine being online and me or someone manually running a tool, we have far too many remote/VPN users for that to be a viable option. This looks close: http://www.petri.co.il/forums/showthread.php?t=13750 But it relies on knowing the SID of the account, but can a simple change from "wmic useraccount where "sid like 'S-1-5-%%-500'" to "wmic useraccount where "samaccountname like 'lumslocaluser'" work? Dave From: Free, Bob [mailto:[email protected]] Sent: Thursday, January 05, 2012 5:24 PM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Saw something pointed out today about the security implications by one of the GPO MVPs that you might want to consider.... http://blogs.technet.com/b/grouppolicy/archive/2008/08/04/passwords-in-group-policy-preferences.aspx From: David Lum [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Thursday, January 05, 2012 2:55 PM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Right! Two months ago one of the SE's here was saying we need to upgrade to 2008 DC's to manage Win7/2K8 systems...and was surprised when I told him the same thing you just said :) "RSAT dude" Dave From: James Hill [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Thursday, January 05, 2012 2:19 PM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts That's one of the great things about GPP. It came with Server 2008 but with the CSE's you just need a Vista/Win7 machine to manage them. No need to upgrade everything. From: David Lum [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Friday, 6 January 2012 3:12 AM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Damn...you guys make me look good, that was it! Just approved me a non-critical update in WSUS to take care of that on my servers...:) Dave From: Kennedy, Jim [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Thursday, January 05, 2012 8:31 AM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts The 2003 servers don't have the latest updates for GPP installed would be my bet. From: David Lum [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Thursday, January 05, 2012 11:30 AM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Any reason this wouldn't work with 2003 servers? The don't seem to be picking it up. W2K8 is no problemo... I copied the GPO we use that works on XP/Win7 and modified it to point to the added account and server OU only, no WMI filtering is on. From: James Hill [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Wednesday, January 04, 2012 12:25 PM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts There certainly is (with GPP). It can be used to create, update or delete local users Computer Configuration/Preferences/Control Panel Settings/Local Users and Groups Create a new Local User and fill in the details:- [cid:[email protected]] This is a great GPP to do a domain wide change of the local Admin password as well. Very handy when you have an IT staff member resign who knows the local admin password. James. From: David Lum [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Thursday, 5 January 2012 4:14 AM To: NT System Admin Issues Subject: GPO reset of local non-builtin accounts Is there a way to GPO a password change of added-in local machine accounts if the account is the same across all systems? I can do it easily enough with the BuiltIn ones, but see no GPO way to do added ones. David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<inline: image001.png>>
