| Author | Messages | |
kcnychief
Posts:0
 | | 03/16/2009 6:44 AM |
| We have about 300 or so servers and workstations, with varying local
administrative accounts - Some are called Administrator, some are called
Admin.
Currently, the password is the same regardless of it being a workstation or
server. What I would like to do is use GPP, and push out changed passwords
for these accounts. I'm also going to disable any instance of
Administrator, and make sure Admin exists and manage the password for that
for consistency. I will be generating random passwords for each machine, so
each machine has a unique local admin password.
While the work will be front-loaded, as in creating a separate GPP for each
machine based on the name, I'm wondering how I can easily verify the success
of this job. As in, can I have the GPP somehow run its course, then write a
file, reg key, etc, letting me know it worked? I assume if I know what
registry key would get modified, I can then run a query for that particular
key and get the modified date.
Just wondering if anyone had any suggestions on how to easily verify this
job was successful, and where I may need to follow up. I don't want to
disable the "Administrator" account until I know that the machine will be
functional with the new password for the "Admin" account.
| | | |
| kcnychief
Posts:0
| | 03/16/2009 6:55 AM |
| Furthermore, I would like some sort of file or registry key to scan for,
letting me know the account was used. This may occur from time-to-time for
our support personnel, and would like to be able to monitor use so I can
then push out a new password to that machine.
From: Derek Rose [mailto:xxxxxxxxxxxxxxxx]
Sent: Monday, March 16, 2009 6:37 AM
To: 'xxxxxxxxxxxxxxxx'
Subject: Question about Managing Local Administrative Accounts
We have about 300 or so servers and workstations, with varying local
administrative accounts - Some are called Administrator, some are called
Admin.
Currently, the password is the same regardless of it being a workstation or
server. What I would like to do is use GPP, and push out changed passwords
for these accounts. I'm also going to disable any instance of
Administrator, and make sure Admin exists and manage the password for that
for consistency. I will be generating random passwords for each machine, so
each machine has a unique local admin password.
While the work will be front-loaded, as in creating a separate GPP for each
machine based on the name, I'm wondering how I can easily verify the success
of this job. As in, can I have the GPP somehow run its course, then write a
file, reg key, etc, letting me know it worked? I assume if I know what
registry key would get modified, I can then run a query for that particular
key and get the modified date.
Just wondering if anyone had any suggestions on how to easily verify this
job was successful, and where I may need to follow up. I don't want to
disable the "Administrator" account until I know that the machine will be
functional with the new password for the "Admin" account.
| | | |
| Darren
Posts:103
| | 03/16/2009 7:39 PM |
| Derek-
Have you checked to see if a security audit event is generated whenever a
local password is changed. I think it should be and that would be your best
bet to check this. Local account passwords are stored in the local SAM and
so there's no easy registry value you can look at to verify its success. Of
course, you can always check to ensure that GP processing succeeded, which
is a good indication, though not a guarantee, that the password change took.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Monday, March 16, 2009 3:48 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question about Managing Local Administrative Accounts
Furthermore, I would like some sort of file or registry key to scan for,
letting me know the account was used. This may occur from time-to-time for
our support personnel, and would like to be able to monitor use so I can
then push out a new password to that machine.
From: Derek Rose [mailto:xxxxxxxxxxxxxxxx]
Sent: Monday, March 16, 2009 6:37 AM
To: 'xxxxxxxxxxxxxxxx'
Subject: Question about Managing Local Administrative Accounts
We have about 300 or so servers and workstations, with varying local
administrative accounts - Some are called Administrator, some are called
Admin.
Currently, the password is the same regardless of it being a workstation or
server. What I would like to do is use GPP, and push out changed passwords
for these accounts. I'm also going to disable any instance of
Administrator, and make sure Admin exists and manage the password for that
for consistency. I will be generating random passwords for each machine, so
each machine has a unique local admin password.
While the work will be front-loaded, as in creating a separate GPP for each
machine based on the name, I'm wondering how I can easily verify the success
of this job. As in, can I have the GPP somehow run its course, then write a
file, reg key, etc, letting me know it worked? I assume if I know what
registry key would get modified, I can then run a query for that particular
key and get the modified date.
Just wondering if anyone had any suggestions on how to easily verify this
job was successful, and where I may need to follow up. I don't want to
disable the "Administrator" account until I know that the machine will be
functional with the new password for the "Admin" account.
| | | |
| ignaciorenuncio
Posts:5
| | 04/16/2009 4:24 AM |
| Hi,
You can write a small script for you to do the changes hooked to the machine start through a single GP, and verify in the script code that the new password has been set successfully. If not, you could send an automatic email to your email account, this way you'll know inmediately if a machine has not been changed its password. Or you could send an automatic email with the new password just created for that machine, that way you can use a single GPO.
The script is simple indeed, and you also can put a line of code to distinguish between servers and workstations (it seems that you want different actions for each one of them).
Ignacio.-
De: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] En nombre de Darren Mar-Elia
Enviado el: martes, 17 de marzo de 2009 0:34
Para: xxxxxxxxxxxxxxxx
Asunto: RE: [gptalk] Question about Managing Local Administrative Accounts
Derek-
Have you checked to see if a security audit event is generated whenever a local password is changed. I think it should be and that would be your best bet to check this. Local account passwords are stored in the local SAM and so there's no easy registry value you can look at to verify its success. Of course, you can always check to ensure that GP processing succeeded, which is a good indication, though not a guarantee, that the password change took.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Rose
Sent: Monday, March 16, 2009 3:48 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question about Managing Local Administrative Accounts
Furthermore, I would like some sort of file or registry key to scan for, letting me know the account was used. This may occur from time-to-time for our support personnel, and would like to be able to monitor use so I can then push out a new password to that machine.
From: Derek Rose [mailto:xxxxxxxxxxxxxxxx]
Sent: Monday, March 16, 2009 6:37 AM
To: 'xxxxxxxxxxxxxxxx'
Subject: Question about Managing Local Administrative Accounts
We have about 300 or so servers and workstations, with varying local administrative accounts - Some are called Administrator, some are called Admin.
Currently, the password is the same regardless of it being a workstation or server. What I would like to do is use GPP, and push out changed passwords for these accounts. I'm also going to disable any instance of Administrator, and make sure Admin exists and manage the password for that for consistency. I will be generating random passwords for each machine, so each machine has a unique local admin password.
While the work will be front-loaded, as in creating a separate GPP for each machine based on the name, I'm wondering how I can easily verify the success of this job. As in, can I have the GPP somehow run its course, then write a file, reg key, etc, letting me know it worked? I assume if I know what registry key would get modified, I can then run a query for that particular key and get the modified date.
Just wondering if anyone had any suggestions on how to easily verify this job was successful, and where I may need to follow up. I don't want to disable the "Administrator" account until I know that the machine will be functional with the new password for the "Admin" account.
________________________________
Antes de imprimir piensa en tu responsabilidad y compromiso con el MEDIO AMBIENTE!
| | | |
| kcnychief
Posts:0
| | 06/04/2009 12:05 PM |
| More of an FYI, but I think I figured out how this can be accomplished. I
came across this script online, which will reset the local account password
and create a file with date/time attributes I can monitor globally.
http://it-experts.dk/cfs-filesystemfile.ashx/__key/CommunityServer.Component
s.PostAttachments/00.00.00.43.31/SetLocalPassword.v2.txt
Seems sufficient for what I needed, just sharing in case anyone else can use
it.
From: Derek Rose [mailto:xxxxxxxxxxxxxxxx]
Sent: Monday, March 16, 2009 6:48 AM
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: Question about Managing Local Administrative Accounts
Furthermore, I would like some sort of file or registry key to scan for,
letting me know the account was used. This may occur from time-to-time for
our support personnel, and would like to be able to monitor use so I can
then push out a new password to that machine.
From: Derek Rose [mailto:xxxxxxxxxxxxxxxx]
Sent: Monday, March 16, 2009 6:37 AM
To: 'xxxxxxxxxxxxxxxx'
Subject: Question about Managing Local Administrative Accounts
We have about 300 or so servers and workstations, with varying local
administrative accounts - Some are called Administrator, some are called
Admin.
Currently, the password is the same regardless of it being a workstation or
server. What I would like to do is use GPP, and push out changed passwords
for these accounts. I'm also going to disable any instance of
Administrator, and make sure Admin exists and manage the password for that
for consistency. I will be generating random passwords for each machine, so
each machine has a unique local admin password.
While the work will be front-loaded, as in creating a separate GPP for each
machine based on the name, I'm wondering how I can easily verify the success
of this job. As in, can I have the GPP somehow run its course, then write a
file, reg key, etc, letting me know it worked? I assume if I know what
registry key would get modified, I can then run a query for that particular
key and get the modified date.
Just wondering if anyone had any suggestions on how to easily verify this
job was successful, and where I may need to follow up. I don't want to
disable the "Administrator" account until I know that the machine will be
functional with the new password for the "Admin" account.
| | | |
|
|