[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 302
  • Last Modified:

GPO for administrator account

Looking to create a vb script that will enable the built in administrator account (if disabled)
Rename it too – Admin
And set a password
(Windows 7)
Would like to do this via GPO, is there a vb script option to run at startup?

Thanks
0
kwatt562
Asked:
kwatt562
  • 3
  • 2
  • 2
1 Solution
 
Joseph MoodyBlogger and wearer of all hats.Commented:
This can be done in Group Policy.

The enable and rename settings can be found under Computer Configuration/Window Settings/Security Settings/Local Policies/Security Options/Accounts.

You can set the password with Group Policy Preferences Local Users and Groups.
0
 
kwatt562Author Commented:
The first part is OK, not sure how to set the password though as its 2003 server
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
kwatt562Author Commented:
Cancel that I have found a 2008 R2 server :) will let you know how goes, thanks  alot
0
 
McKnifeCommented:
It should be noted that using group policy preferences to set the password puts the whole lot of computers at risk because
A that password is the same everywhere
B it can be read out in plain text, so anyone with a little knowhow could own all your computers from now on if he liked to.
Read results here: https://www.google.com/search?q=gpp+password+security&sourceid=ie7&rls=com.microsoft:en-US:IE-Address&ie=&oe=
Please note that the link you were given contained that warning, too (at the very end).*

You should tell us why you need that account and what you use it for. Maybe we can tell you a better solution to achieve it.

*Just for laughs: the MVP (F. Frommherz) who in that linked article claimed we could not get our hands on a plaintext password changed his mind: http://www.frickelsoft.net/blog/?p=116

http://www.gruppenrichtlinien.de/artikel/verwaltungaenderung-der-lokalen-administratoren-kennworte/ is another tactical approach: set the pw, apply and delete the GPO afterwards so that it cannot be attacked in sysvol. Ha... that's history. Win8.1 uses GPO caching, it will have a local copy of that policy, so we have to be careful! Read http://4sysops.com/archives/group-policy-caching-in-windows-8-1/
0
 
McKnifeCommented:
The solution is no solution, sorry. Simply, because it does not work anymore. Since the patch day of may 14, for security's sake, microsoft has disabled the ability to enclose passwords in account items in group policy preferences.
0
 
McKnifeCommented:
So better look at the alternative described here: http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx - it holds all the background info to the change as well.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now