Andy Andy
asked on
Apply Unique Local Admin password for all Computer through GPO
Hello Team,
We want to set the Local Administrator password for all Workstation on some OU where computer exist.
I want to apply this via GPO, same GPO i will link to any other OU in future
Please suggest, how we can proceed further in this
Thanks,
Addy
We want to set the Local Administrator password for all Workstation on some OU where computer exist.
I want to apply this via GPO, same GPO i will link to any other OU in future
Please suggest, how we can proceed further in this
Thanks,
Addy
ASKER
due to Some Security measures customer is not comfortable using Tool,. basically we need to manage for workstation only. so GPO is right option
on specific OU i need to apply through GPO
on specific OU i need to apply through GPO
GPO not right option because the only way to set password via GPO is script (bad idea) or GPO preference which stores password as CPassword which can easily be decoded
ASKER
can you suggest GPO if any and also tell can this LAPS tool i can deploy on specific OU, basically i need to set it on all workstations in that OU
server OU is different
server OU is different
can you suggest GPONone are secure
if any and also tell can this LAPS tool i can deploy on specific OU, basically i need to set it on all workstations in that OUYes, can be deployed to an OU.
server OU is different
ASKER
Can you suggest, GPO, as we need to deploy through GPO only
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can also get away by doing it via NetWrix free bulk password reset.
https://www.netwrix.com/local_admin_bulk_password_reset_freeware.html
https://www.netwrix.com/local_admin_bulk_password_reset_freeware.html
ASKER
No we want to go with Group policy only
Good luck
ASKER
Could you suggest any GPO
Naddy, what is it that you don't understand?
There - is - no - GPO-option - to - do - this.
MIcrosoft had offered a way but Microsoft themselves modified (=killed) that way some time ago. Since then, LAPS is what they recommend. You could also use startup scripts. Startup scripts can of course be triggered from GPOs.
A batch script that modifies the password and is safe to use would go
"password for administrator is 4Z8fNFKh" (password is random (not the same) for any machine).
To make sure that clients cannot retrieve other computer's admin passwords, you would make that share write-only.
If you have questions concerning this suggestion, feel free to ask. But please be so kind to accept that this cannot be done using ordinary GPOs.
There - is - no - GPO-option - to - do - this.
MIcrosoft had offered a way but Microsoft themselves modified (=killed) that way some time ago. Since then, LAPS is what they recommend. You could also use startup scripts. Startup scripts can of course be triggered from GPOs.
A batch script that modifies the password and is safe to use would go
net user administrator /random>\\server\share\%computername%.txt
That will change the password and write it to a text file. The output looks like this:"password for administrator is 4Z8fNFKh" (password is random (not the same) for any machine).
To make sure that clients cannot retrieve other computer's admin passwords, you would make that share write-only.
If you have questions concerning this suggestion, feel free to ask. But please be so kind to accept that this cannot be done using ordinary GPOs.
ASKER
i found below article , could you suggest, if that can be fine as per my requirement
http://www.dannyeckes.com/create-local-admin-group-policy-gpo/
http://www.dannyeckes.com/create-local-admin-group-policy-gpo/
Addy, that article is no longer valid due to what Microsoft has modified. You cannot use that way.
McKnife, I think you will be able to get into \\server\share\%computerna me%.txt and get all passwords because you need to give computer account access to share
As per my comment
Nothing that will just be a GPO (GPP, which was the only option other than script was blocked by MS14-025 because CPassword insecure)MS14-025, disables the steps in http://www.dannyeckes.com/create-local-admin-group-policy-gpo/
ASKER
yes, i seen by checking it, password column is grayed out. so Please suggest how to setup this request in any other way
it looks LAPS tool is little vast. If we use that, please suggest where it need to be installed, where all password will be save , can this be applied on specific OU
i need technical documentation of that or suggest me steps
it looks LAPS tool is little vast. If we use that, please suggest where it need to be installed, where all password will be save , can this be applied on specific OU
i need technical documentation of that or suggest me steps
@Shaun
"McKnife, I think you will be able to get into \\server\share\%computerna me%.txt and get all passwords because you need to give computer account access to share" - no. As I wrote: set the share to "write-only".
@Addy
"Please suggest how to setup this request in any other way" - I already did. Please comment on it.
"McKnife, I think you will be able to get into \\server\share\%computerna
@Addy
"Please suggest how to setup this request in any other way" - I already did. Please comment on it.
@McKnife:
Not a bad approach, thanks for sharing. The only thing is offline/disconnected startups, perhaps a little online check function before set password
Not a bad approach, thanks for sharing. The only thing is offline/disconnected startups, perhaps a little online check function before set password
Not needed since startup scripts are read from the network themselves.
We could also use powershell to set random passwords of a better complexity/length.
We could also use powershell to set random passwords of a better complexity/length.
ASKER
i have seen now. if i apply GPO and then in Xml file the Cpassword is showing blank.. so shall i mentioned password there.. will that GPO will work??
No, it will not work. This functionality was disabled
ASKER
any other tool or script is there to accomplish this
I would use LAPS or solution suggested by McKnife in ID41999347
ASKER
if we need to go with LAPS
so how can i test this tool. before implement in Production
can i install it on Client machine
so how can i test this tool. before implement in Production
can i install it on Client machine
You have to test this on a separate testing domain because it adds a schema extension which I only would do if I commit to the solution
ASKER
That is the reason i dont want to go with this tool for now
can you recommend any other tool
can you recommend any other tool
You have no confidence in LAPS, Microsoft's own tool and recommended solution? Then what would you be confident in? Come on :)
If it extends the domain scheme, so what? Nothing to it. If you have such fears, a test domain is worth having. I could setup a test domain in a virtual environment in half an hour - I recommend that you do that.
I recommended an alternative which you have not yet commented on, by the way.
If it extends the domain scheme, so what? Nothing to it. If you have such fears, a test domain is worth having. I could setup a test domain in a virtual environment in half an hour - I recommend that you do that.
I recommended an alternative which you have not yet commented on, by the way.
ASKER
mcknife, sorry i dont have a test environment, also i dont want to use the option as you suggest earlier
Could you suggest any other tool other this..
Could you suggest any other tool other this..
Before recommending an alternative, it would be helpful to know what keeps you from using that script or a similar script
ASKER
what exactly this start script do
net user administrator /random>\\server\share\%co mputername %.txt
what random means here and also can i test it ? and on which server path i need to give, it might be seen by any other person who have access on it ?
net user administrator /random>\\server\share\%co
what random means here and also can i test it ? and on which server path i need to give, it might be seen by any other person who have access on it ?
Net.exe is one of the most important commands of all. Please type
/random sets a random password.
Simply execute that line for a test:
The share will need to be write only to secure it. I already emphasized that twice before.
Net help user
to make yourself familiar with it./random sets a random password.
Simply execute that line for a test:
Net user administrator /random
The output shows what it does.The share will need to be write only to secure it. I already emphasized that twice before.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks guys
Local Administrator Password Solution
https://technet.microsoft.com/en-us/mt227395.aspx