We help IT Professionals succeed at work.

Need someone to clear up a question/concern I have about using GP Preferences for local admin password resets

rsnellman
rsnellman asked
on
Hi, I was directed to this link from an earlier question, but it brought up another question that I need to be clear on before proceeding with GP Preferences.

http://abskb.wordpress.com/2009/08/30/how-to-use-group-policy-preferences-to-set-change-passwords/#comment-159

Could one use this technique by having an existing GPO for a specific OU that the desired computer objects reside and create the GP Preference to change (update) the password on the built-in local Administrator account on each system. Once confirmed the systems have updated and have the new password, just delete that GP Preference from the GPO, instead of creating a new GPO & deleting it everytime. Or does this still keep reminience of the password in the GPO?

Just want to be clear and secure.

Thanks in advance.



If I
Comment
Watch Question

Neil RussellTechnical Development Lead
Commented:
Yes of course you could but why bother deleting the GPP once its done? What if somebody changes the local admin password on a machine? It wont get rest. If you leave the GPP in there if its changed, it will change back again with the next policy update.
Also if you want to change the password again in a months time, you just need to open that policy and edit it, 1 mins work and the jobs done.
rsnellmanIT Manager

Author

Commented:
Ok, but what about the security issues/concerns of leaving it in there since it resides in the SYSVOL?

(I am not running IPSec policies at this time.)

Technical Development Lead
Commented:
Have you or anybody you know been able to decrypt the sysvol files to extract the stored password for the local admin account?
rsnellmanIT Manager

Author

Commented:
I have never tried.  I have not known anyone to, but when you are in a learning environment with curious students, I wouldn't put anything past them.

Just was wondering.

Thanks.
Neil RussellTechnical Development Lead
Commented:
Unless you are using login SCRIPTS that have plain text passwords stored in the scripts you are fine.
rsnellmanIT Manager

Author

Commented:
OK.  Thanks.  I am not using login scripts with plain text passwords.

Thanks for the reassurance.

Have a great day.