If the domain becomes unavailable (admin because sometimes we need to futz with NIC properties) or we need to disjoin from the domain for whatever reason we need a local admin account. We have enough servers that it happens on occasion. We also have credential caching turned off on our servers.
We have over a hundred servers and being effectively a software development shop we have tons of "moving parts" on our servers. If I had any control of this place things would be different (not necessarily better, LOL). Dave -----Original Message----- From: Matthew W. Ross [mailto:[email protected]] Sent: Friday, January 06, 2012 8:50 AM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Please educate me: Why do you want to have a local account? What's the benefit? --Matt Ross Ephrata School District ----- Original Message ----- From: David Lum [mailto:[email protected]] To: NT System Admin Issues [mailto:[email protected]] Sent: Fri, 06 Jan 2012 06:31:13 -0800 Subject: RE: GPO reset of local non-builtin accounts > Damn...and I used to be cool, for a day. How big is this risk in > reality? A casual user won't be perusing Sysvol, and they'll be even > less casual if they can figure out how to get at the password. I, for > one, have no idea how I would get at the password, although I imagine > even a mediocre hacker would? > > What about having the GPO run for a week and then killing (deleting, > or disabling then changing the GPP password) the GPO? This should be > secure enough for servers, as a user would have to be snooping the > week we had the GPO in use, but I set our workstation local admin accounts > this way as well. > Since we do have standard builds perhaps I can do the same as servers > and activate the GPO for a week whenever we want to change it? With > PC's that will leave some leakers though... > > Going forward, if I don't want to use GPP (and it looks like I don't), > how can I accomplish a centrally managed local admin password in a > secure manner? I don't want to rely on the machine being online and me > or someone manually running a tool, we have far too many remote/VPN > users for that to be a viable option. > > This looks close: > http://www.petri.co.il/forums/showthread.php?t=13750 > > But it relies on knowing the SID of the account, but can a simple > change from "wmic useraccount where "sid like 'S-1-5-%%-500'" to "wmic > useraccount where "samaccountname like 'lumslocaluser'" > work? > > Dave > > From: Free, Bob [mailto:[email protected]] > Sent: Thursday, January 05, 2012 5:24 PM > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin accounts > > Saw something pointed out today about the security implications by one > of the GPO MVPs that you might want to consider.... > > http://blogs.technet.com/b/grouppolicy/archive/2008/08/04/passwords-in > -group-policy-preferences.aspx > > > > From: David Lum > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > Sent: Thursday, January 05, 2012 2:55 PM > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin accounts > > Right! Two months ago one of the SE's here was saying we need to > upgrade to > 2008 DC's to manage Win7/2K8 systems...and was surprised when I told > him the same thing you just said :) > > "RSAT dude" > > Dave > > From: James Hill > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > Sent: Thursday, January 05, 2012 2:19 PM > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin accounts > > That's one of the great things about GPP. It came with Server 2008 > but with the CSE's you just need a Vista/Win7 machine to manage them. > No need to upgrade everything. > > From: David Lum > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > Sent: Friday, 6 January 2012 3:12 AM > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin accounts > > Damn...you guys make me look good, that was it! > > Just approved me a non-critical update in WSUS to take care of that on > my > servers...:) > > Dave > > From: Kennedy, Jim > [mailto:[email protected]]<mailto:[mailto:kennedyjim@elyria > schools.org]> > Sent: Thursday, January 05, 2012 8:31 AM > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin accounts > > The 2003 servers don't have the latest updates for GPP installed would > be my bet. > > From: David Lum > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > Sent: Thursday, January 05, 2012 11:30 AM > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin accounts > > Any reason this wouldn't work with 2003 servers? The don't seem to be > picking it up. W2K8 is no problemo... > > I copied the GPO we use that works on XP/Win7 and modified it to point > to the added account and server OU only, no WMI filtering is on. > > From: James Hill > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > Sent: Wednesday, January 04, 2012 12:25 PM > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin accounts > > There certainly is (with GPP). It can be used to create, update or > delete local users > > Computer Configuration/Preferences/Control Panel Settings/Local Users > and Groups > > Create a new Local User and fill in the details:- > [cid:[email protected]] > > This is a great GPP to do a domain wide change of the local Admin > password as well. Very handy when you have an IT staff member resign > who knows the local admin password. > > James. > > > From: David Lum > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > Sent: Thursday, 5 January 2012 4:14 AM > To: NT System Admin Issues > Subject: GPO reset of local non-builtin accounts > > Is there a way to GPO a password change of added-in local machine > accounts if the account is the same across all systems? I can do it > easily enough with the BuiltIn ones, but see no GPO way to do added ones. > David Lum > Systems Engineer // NWEATM > Office 503.548.5229 // Cell (voice/text) 503.267.9764 > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected] > software.com> > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected] > software.com> > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected] > software.com> > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected] > software.com> > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected] > software.com> > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected] > software.com> > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected] > software.com> > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to > [email protected]<mailto:[email protected] > software.com> > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
