Please educate me: Why do you want to have a local account? What's the benefit?
--Matt Ross Ephrata School District ----- Original Message ----- From: David Lum [mailto:[email protected]] To: NT System Admin Issues [mailto:[email protected]] Sent: Fri, 06 Jan 2012 06:31:13 -0800 Subject: RE: GPO reset of local non-builtin accounts > Damn...and I used to be cool, for a day. How big is this risk in reality? A > casual user won't be perusing Sysvol, and they'll be even less casual if > they can figure out how to get at the password. I, for one, have no idea how > I would get at the password, although I imagine even a mediocre hacker > would? > > What about having the GPO run for a week and then killing (deleting, or > disabling then changing the GPP password) the GPO? This should be secure > enough for servers, as a user would have to be snooping the week we had the > GPO in use, but I set our workstation local admin accounts this way as well. > Since we do have standard builds perhaps I can do the same as servers and > activate the GPO for a week whenever we want to change it? With PC's that > will leave some leakers though... > > Going forward, if I don't want to use GPP (and it looks like I don't), how > can I accomplish a centrally managed local admin password in a secure > manner? I don't want to rely on the machine being online and me or someone > manually running a tool, we have far too many remote/VPN users for that to > be a viable option. > > This looks close: > http://www.petri.co.il/forums/showthread.php?t=13750 > > But it relies on knowing the SID of the account, but can a simple change > from > "wmic useraccount where "sid like 'S-1-5-%%-500'" to > "wmic useraccount where "samaccountname like 'lumslocaluser'" > work? > > Dave > > From: Free, Bob [mailto:[email protected]] > Sent: Thursday, January 05, 2012 5:24 PM > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin accounts > > Saw something pointed out today about the security implications by one of > the GPO MVPs that you might want to consider.... > > http://blogs.technet.com/b/grouppolicy/archive/2008/08/04/passwords-in-group-policy-preferences.aspx > > > > From: David Lum > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > Sent: Thursday, January 05, 2012 2:55 PM > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin accounts > > Right! Two months ago one of the SE's here was saying we need to upgrade to > 2008 DC's to manage Win7/2K8 systems...and was surprised when I told him the > same thing you just said :) > > "RSAT dude" > > Dave > > From: James Hill > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > Sent: Thursday, January 05, 2012 2:19 PM > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin accounts > > That's one of the great things about GPP. It came with Server 2008 but with > the CSE's you just need a Vista/Win7 machine to manage them. No need to > upgrade everything. > > From: David Lum > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > Sent: Friday, 6 January 2012 3:12 AM > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin accounts > > Damn...you guys make me look good, that was it! > > Just approved me a non-critical update in WSUS to take care of that on my > servers...:) > > Dave > > From: Kennedy, Jim > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > Sent: Thursday, January 05, 2012 8:31 AM > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin accounts > > The 2003 servers don't have the latest updates for GPP installed would be my > bet. > > From: David Lum > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > Sent: Thursday, January 05, 2012 11:30 AM > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin accounts > > Any reason this wouldn't work with 2003 servers? The don't seem to be > picking it up. W2K8 is no problemo... > > I copied the GPO we use that works on XP/Win7 and modified it to point to > the added account and server OU only, no WMI filtering is on. > > From: James Hill > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > Sent: Wednesday, January 04, 2012 12:25 PM > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin accounts > > There certainly is (with GPP). It can be used to create, update or delete > local users > > Computer Configuration/Preferences/Control Panel Settings/Local Users and > Groups > > Create a new Local User and fill in the details:- > [cid:[email protected]] > > This is a great GPP to do a domain wide change of the local Admin password > as well. Very handy when you have an IT staff member resign who knows the > local admin password. > > James. > > > From: David Lum > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > Sent: Thursday, 5 January 2012 4:14 AM > To: NT System Admin Issues > Subject: GPO reset of local non-builtin accounts > > Is there a way to GPO a password change of added-in local machine accounts > if the account is the same across all systems? I can do it easily enough > with the BuiltIn ones, but see no GPO way to do added ones. > David Lum > Systems Engineer // NWEATM > Office 503.548.5229 // Cell (voice/text) 503.267.9764 > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected]> > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected]> > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected]> > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected]> > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected]> > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected]> > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected]> > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected]> > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
