Link to home
Start Free TrialLog in
Avatar of Andy Andy
Andy AndyFlag for India

asked on

Apply Unique Local Admin password for all Computer through GPO

Hello Team,

We want to set the Local Administrator password for all Workstation on some OU where computer exist.

I want to apply this via GPO, same GPO i will link to any other OU in future

Please suggest, how we can proceed further in this

Thanks,
Addy
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

I deploy this at all my enterprise clients. It sets password according to a policy via an agent and submits it to a secure attribute in Active Directory. You can delegate this attribute to a group etc. You use a little tool to read passwords when you need the password

Local Administrator Password Solution
https://technet.microsoft.com/en-us/mt227395.aspx
Avatar of Andy Andy

ASKER

due to Some Security measures customer is not comfortable using Tool,. basically we need to manage for workstation only. so GPO is right option
on specific OU i need to apply through GPO
GPO not right option because the only way to set password via GPO is script (bad idea) or GPO preference which stores password as CPassword which can easily be decoded
can you suggest GPO if any and also tell can this LAPS tool i can deploy on specific OU, basically i need to set it on all workstations in that OU
server OU is different
can you suggest GPO
None are secure

if any and also tell can this LAPS tool i can deploy on specific OU, basically i need to set it on all workstations in that OU
server OU is different
Yes, can be deployed to an OU.
Can you suggest, GPO, as we need to deploy through GPO only
ASKER CERTIFIED SOLUTION
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You can also get away by doing it via NetWrix free bulk password reset.
https://www.netwrix.com/local_admin_bulk_password_reset_freeware.html
User generated image
No we want to go with Group policy only
Good luck
Could you suggest any GPO
Naddy, what is it that you don't understand?

There - is - no - GPO-option - to - do - this.

MIcrosoft had offered a way but Microsoft themselves modified (=killed) that way some time ago. Since then, LAPS is what they recommend. You could also use startup scripts. Startup scripts can of course be triggered from GPOs.
A batch script that modifies the password and is safe to use would go
net user administrator /random>\\server\share\%computername%.txt

Open in new window

That will change the password and write it to a text file. The output looks like this:
"password for administrator is 4Z8fNFKh" (password is random (not the same) for any machine).

To make sure that clients cannot retrieve other computer's admin passwords, you would make that share write-only.
If you have questions concerning this suggestion, feel free to ask. But please be so kind to accept that this cannot be done using ordinary GPOs.
i found below article , could you suggest, if that can be fine as per my requirement

http://www.dannyeckes.com/create-local-admin-group-policy-gpo/
Addy, that article is no longer valid due to what Microsoft has modified. You cannot use that way.
McKnife, I think you will be able to get into \\server\share\%computername%.txt and get all passwords because you need to give computer account access to share
As per my comment
Nothing that will just be a GPO (GPP, which was the only option other than script was blocked by MS14-025 because CPassword insecure)
MS14-025, disables the steps in http://www.dannyeckes.com/create-local-admin-group-policy-gpo/
yes, i seen by checking it, password column is grayed out. so Please suggest how to setup this request in any other way

it looks LAPS tool is little vast. If we use that, please suggest where it need to be installed, where all password will be save , can this be applied on specific OU

i need technical documentation of that or suggest me steps
@Shaun
"McKnife, I think you will be able to get into \\server\share\%computername%.txt and get all passwords because you need to give computer account access to share" - no. As I wrote: set the share to "write-only".
@Addy
"Please suggest how to setup this request in any other way" - I already did. Please comment on it.
@McKnife:
Not a bad approach, thanks for sharing. The only thing is offline/disconnected startups, perhaps a little online check function before set password
Not needed since startup scripts are read from the network themselves.
We could also use powershell to set random passwords of a better complexity/length.
i have seen now. if i apply GPO and then in Xml file the Cpassword is showing blank.. so shall i mentioned password there.. will that GPO will work??
No, it will not work. This functionality was disabled
any other tool or script is there to accomplish this
I would use LAPS or solution suggested by McKnife in ID41999347
if we need to go with LAPS

so how can i test this tool. before implement in Production

can i install it on Client machine
You have to test this on a separate testing domain because it adds a schema extension which I only would do if I commit to the solution
That is the reason i dont want to go with this tool for now

can you recommend any other tool
You have no confidence in LAPS, Microsoft's own tool and recommended solution? Then what would you be confident in? Come on :)
If it extends the domain scheme, so what? Nothing to it. If you have such fears, a test domain is worth having. I could setup a test domain in a virtual environment in half an hour - I recommend that you do that.

I recommended an alternative which you have not yet commented on, by the way.
mcknife, sorry i dont have a test environment, also i dont want to use the option as you suggest earlier

Could you suggest any other tool other this..
Before recommending an alternative, it would be helpful to know what keeps you from using that script or a similar script
what exactly this start script do

net user administrator /random>\\server\share\%computername%.txt

what random means here and also can i test it ? and on which server path i need to give, it might be seen by any other person who have access on it ?
Net.exe is one of the most important commands of all. Please type
Net help user

Open in new window

to make yourself familiar with it.
/random sets a random password.
Simply execute that line for a test:
Net user administrator /random

Open in new window

The output shows what it does.

The share will need to be write only to secure it. I already emphasized that twice before.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
thanks guys