Local User GPO - change?
-
You're in the Preferences area of GPO, generally, those are an apply once and never again - could that apply here? So you'd have to delete it, then add it to make a change?
For something like this I think I would rather use the Policies area - ok not rather, I do use the Policies area
Policies > Windows Settings > Security Settings > Restricted Groups -
Well - double checking.. that doesn't change the user account, that only deals with groups.. so... nevermind.
-
In common, you can set to apply once and do not reapply, but that's just for the GPO processing. I'm definitely missing something here.
-
Microsoft took this feature away a while ago...
https://blogs.technet.microsoft.com/srd/2014/05/13/ms14-025-an-update-for-group-policy-preferences/
-
-
@IRJ said:
Microsoft took this feature away a while ago...
https://blogs.technet.microsoft.com/srd/2014/05/13/ms14-025-an-update-for-group-policy-preferences/
Thaaat really sucks. How is everyone else doing that same function anymore?
-
@IRJ Doesn't look like Netwrix is going to be able to do what we need, nearly as easily as deploying a GPO to the server OU.
-
@IRJ Checking out LAPS**
-
Could you deploy a powershell script and have that execute?
-
@dafyre said:
Could you deploy a powershell script and have that execute?
I considered that. Drop it into a scheduled task somewhere. But that's not as central as having a persistent GPO. That was unsecure, I get that. But to completely undo that process instead of making it more secure? That sucks. I know convenience and security need a balance. But you should give the option of central management and just have a "beware: this is unsecure" kind of move. Or release a tool that is very similar. I'm installing LAPS on a management server. Anyone tried it?
-
LAPS looks like garbage, you can't do bulk....
-
This is how I do it.
https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0
I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.
-
-
This post is deleted! -
Beat me to it
-
@IRJ said:
This is how I do it.
https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0
I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.
Good work around I guess. So you schedule it to redeploy then? We add lots of servers to our environment regularly, so a persistent change is necessary to always make sure a server is changing the local admin, in case it is needed.
-
@BBigford said:
@IRJ said:
This is how I do it.
https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0
I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.
Good work around I guess. So you schedule it to redeploy then? We add lots of servers to our environment regularly, so a persistent change is necessary to always make sure a server is changing the local admin, in case it is needed.
Yeah, but also update your server and desktop images with the latest passwords to make things easier.
-
@BBigford said:
@IRJ said:
This is how I do it.
https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0
I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.
Good work around I guess. So you schedule it to redeploy then? We add lots of servers to our environment regularly, so a persistent change is necessary to always make sure a server is changing the local admin, in case it is needed.
You could do it weekly, daily, or even hourly. The script has hardly any network impact.
-
P.S.
It is good practice to rename your local Administrator accounts to something other than Administrator. I do that with Group Policy then set the password for the updated account name once it is changed by Group Policy.
-
I ran into this problem a few months ago, though some time after an upgrade of the AD schema from 47 to 69.
I solved it by using a bat file that runs as a startup script right after an MDT deployment.
net user "My Admin" PasswordGoesHere /add /passwordreq:yes /fullname:"My Admin"
net localgroup Administrators "My Admin" /addAfter the new PC is then moved to its final OU, LAPS is installed and a new random password is applied.
