1. for /f "tokens=1" %%a in ('net view^|find "\\"') do psexec %a net
localgroup Administrators "domain users" /delete
6. for /f "tokens=1" %%a in ('net view^|find "\\"') do psexec %a net user
administrator newpassword
you will need to run this from an admin account
can't give you advice on the rest at the mo' am typing with one hand and
feeding a baby :-)
2009/3/23 Paul Everett <[email protected]>
> Okay, I'm concerned about this, but need more direction than what has
> been posted so far.
> We've been running BGinfo here in our login script for years and we've
> been putting "domain users" into their local admin group to keep it from
> erroring. We've recently started just giving full access to the bginfo
> file, but still have a couple hundred machines with "domain users" in
> the local admin group.
> 1. Is there a way (script or GP) to take "domain users" out of the
> local admin group?
> 2. How can I give users full access to the bginfo file without
> visiting every machine?
> 3. Where in GP do I disable Autorun?
> 4. How do I do the INI redirection trick?
> 5. How can I make sure the svchost key has read-only rights for
> everyone? Could this adversely affect some applications?
> 6. Is there a way to change the local admin password via script or
> GP?
>
> Thanks,
> Paul
>
>
> -----Original Message-----
> From: Ben Scott [mailto:[email protected]]
> Sent: Friday, March 20, 2009 5:11 PM
> To: NT System Admin Issues
> Subject: Re: April 1st Conflicker Version C to erupt
>
> On Fri, Mar 20, 2009 at 4:54 PM, Ziots, Edward <[email protected]>
> wrote:
> > Just as a followup the following KB article fixed that issue, what I
> am
> > still concerned about even though these systems where patched about
> 2-3
> > months ago with MS08-067 they still got somewhat infected...
>
> As mentioned, Conficker has multiple methods of propagation. The
> MS08-067 Server RPC vulnerability is only half the problem. The other
> common vector is removable media, such as USB flash drives. Combined
> with Autorun, all you have to do is insert the media, and Windows will
> automatically run Conficker for you. Even with Autorun completely
> disabled, the user can still find the Trojan horse executable on the
> media and double-click to run it manually.
>
> If you're running with unprivileged users, it can still set itself
> up in the user's profile. It shouldn't (*shouldn't*) be able to
> disable anti-virus or compromise the local system, but it can run
> within the privilages of the user. It can scan for hosts still
> vulnerable to MS08-067. It can scan for network shares, and try to
> copy itself to them. It can try to brute force passwords to propagate
> to more hosts. That last is presumably what leads to the account
> lockouts others have described.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
>
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
