• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 164
  • Last Modified:

GPO failed to change local admin account password

Domain network: WIndows Server 2008 R2
Workstation: Windows 10
GPO purpose: Create one more local admin account and set password. Once it's changed, change it back.
GPO setting:GPO-Local-Admin.JPGQuestion: After the user, who is domain account and part of local administrators group, changed the admintest account password, if the computer reboot, the admintest account password isn't changed back to the GPO setting.
Welcome any suggestion.
0
Snowy Canada
Asked:
Snowy Canada
  • 2
  • 2
2 Solutions
 
Dariusz TykaICT Infrastructure Specialist Senior Commented:
It is no longer possible to set/change passwords for user accounts via GPP.  It was disabled after installation one of MS patches. As it was a security risk since those passwords could be decrypted. See more here:
https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati
https://4sysops.com/archives/introduction-to-microsoft-laps-local-administrator-password-solution/
0
 
Snowy CanadaNetwork AdministratorAuthor Commented:
Thank Dariusz for fast solution.
0
 
McKnifeCommented:
@Snowy
No, that is not the reason. Your screenshot should show a greyed-out password section. Greyed-out, because MS has patched this option away. Yours doesn't show it. That means, you have never installed any security updates on your domain controller in recent years! Very dangerous.

Please install all updates now. DCs are the most endangered servers.
Please be aware that after installing the patches, all policies of that style remain in place and passwords are easily decodable and should be assumed as being leaked! Delete these policies and migrate the remaining settings to new policies AND change the passwords.
0
 
McKnifeCommented:
What will you do about your goal to reset the admin passwords?
You should not set them to the same value everywhere, that's for sure. The following link describes a concept for safe user support. In it, you will find scripts to randomize passwords, maybe you would like to use those. If you need help, just say.
https://www.experts-exchange.com/articles/18180/A-concept-for-safe-user-support.html
0
 
Snowy CanadaNetwork AdministratorAuthor Commented:
McKnife, thank you so much for the advice.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now