[gptalk] Re: Group Policy to set local administrator password

  • From: "James Kagele" <james.kagele@xxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Fri, 29 Jun 2007 06:10:36 +0200

We used to do it with GPO's but realized the password was passing over the
network in the clear.  If the password is not encrypted anyone who has
access to gpresult can get to it.

On 6/28/07, MONTGOMERY, RONALD [AG/1000] <ronald.montgomery@xxxxxxxxxxxx>

 We did it in an emergency once before we purchased a third party
management solution. We encrypted the script, which was better than not
trying at all.

 Jamie's right on about tightening the permissions on the GPO, but I think
the traffic that's passed over the network can be intercepted and read?

We had a target list of machines, so we filtered with a security group. We
also had a requirement to have unique passwords for each machine, so I used
a data dictionary in the script. I attached the script if you're interested.
It's pretty simple, sorry!

If your users have admin rights, all bets are off for policy processing on
all your machines. That was one reason why we went with a third party tool
with good reporting capabilities.

Hope this helps.


*From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
Behalf Of *Johnson, Matthew
*Sent:* Thursday, June 28, 2007 3:25 PM
*To:* gptalk@xxxxxxxxxxxxx
*Subject:* [gptalk] Group Policy to set local administrator password

Is anyone using Group Policy to deploy a script/batch file which sets the
local administrator password?

I am not, but I am considering it.  My concern is that the password would
be clear text in the script.

Thanks in advance for any help,

*Matthew Johnson*

CONFIDENTIALITY STATEMENT: This electronic message contains information
from Fisher-Titus Medical Center and may be protected health information or
other confidential and privileged information under law.  The information is
intended to be for the use of the individual or entity named above.  If you
are not the intended recipient, be aware that any disclosure, copying,
distribution or use of the contents of this message is prohibited. If you
have received this electronic message in error, please notify the sender
immediately by reply e-mail or telephone at 419/668-8101.

*This e-mail message may contain privileged and/or confidential
information, and is intended to be received only by persons entitled to
receive such information. If you have received this e-mail in error, please
notify the sender immediately. Please delete it and all attachments from any
servers, hard drives or any other media. Other use of this e-mail by you is
strictly prohibited.*

*All e-mails and attachments sent and received are subject to monitoring,
reading and archival by Monsanto. The recipient of this e-mail is solely
responsible for checking for the presence of "Viruses" or other "Malware".
Monsanto accepts no liability for any damage caused by any such code
transmitted by or accompanying this e-mail or any attachment.*

Other related posts: