Solved

How to randomize Local Administrator password on clients and servers?

Posted on 2015-02-04
13
61 Views
Last Modified: 2015-04-19
How to randomize Local Administrator password on clients and servers centrally?
0
Comment
Question by:ITO-
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
13 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 40590442
To what end?

You could use a computer GPO that includes the startup script that runs a vbs or a simple net user directive to set administartor password, though this might be moot given the administrator account is disabled since window 7/server 2012 if not disallowed in windows 8.

You could similarly disable this account.

Not sure what type of randomization.
Do you need that information recorded anywhere?
0
 

Author Comment

by:ITO-
ID: 40590459
Yes actually i'm looking for a solution that does this. like record it in an attribute in AD or a DB.
0
 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 40590506
You can have a startscript set a randomized password with a simple script:
net user administrator /random >\\server\share\%computername%.txt
The password will be 8 letters, like kjd!gT7h22, it will be logged to a file. That file share should be made write-only for domain computers and only readable for domain admins.

If that is not long enough, I ask you, why secure it, when it's disabled anyway?
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:ITO-
ID: 40590528
Why disabled? sometimes its required when disjoin/join is required.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40590554
When disjoin is required, you enable it on demand, there's no valid reason for keeping it enabled.
0
 

Author Comment

by:ITO-
ID: 40590565
how you will enable it? when disjoin/join is required this mean that you cannot login to the machine anymore to enable it.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40590725
If you are not able to logon using a domain admin, you simply boot the famous nordahl cd and enable the admin and blank its password - as simple as that.
0
 
LVL 79

Expert Comment

by:arnold
ID: 40590855
When a domain based system is off the network, cached credentials  (domain) will work.
Administrator then is a place holder for an administrative local account?
0
 

Author Comment

by:ITO-
ID: 40596430
yes but when a computer lose trust relationship with the domain, even cashed credentials wont work right?
0
 
LVL 79

Expert Comment

by:arnold
ID: 40596434
No, so long as a DC can not be reached, cached credentials will be valid and allow login.

The determinate of the loss of trust is the DC and not the system onto which one wants to login.
0
 

Author Comment

by:ITO-
ID: 40731943
LAPS (Local Administrator Password Solution) from Microsoft is a solution for my requirements.
0
 

Author Comment

by:ITO-
ID: 40732773
I've requested that this question be closed as follows:

Accepted answer: 0 points for ITO-'s comment #a40731943

for the following reason:

No other solution was provided.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40732009
If you don't find http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_28610602.html#a40590506 is a solution, then please tell me why. It randomizes the password and is controlled centrally.

Please remember: forum members are volunteers. If you see someone made effort to help and he answers your questions (at least to his understanding) and all you do is call it a non-solution, this will not serve the community spirit.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question