ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Local User GPO - change?

    Scheduled Pinned Locked Moved IT Discussion
    25 Posts 6 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender
      last edited by

      You're in the Preferences area of GPO, generally, those are an apply once and never again - could that apply here? So you'd have to delete it, then add it to make a change?

      For something like this I think I would rather use the Policies area - ok not rather, I do use the Policies area
      Policies > Windows Settings > Security Settings > Restricted Groups

      1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender
        last edited by

        Well - double checking.. that doesn't change the user account, that only deals with groups.. so... nevermind.

        1 Reply Last reply Reply Quote 0
        • bbigfordB
          bbigford
          last edited by

          In common, you can set to apply once and do not reapply, but that's just for the GPO processing. I'm definitely missing something here. 😐

          1 Reply Last reply Reply Quote 0
          • IRJI
            IRJ
            last edited by

            Microsoft took this feature away a while ago...

            https://blogs.technet.microsoft.com/srd/2014/05/13/ms14-025-an-update-for-group-policy-preferences/

            bbigfordB 3 Replies Last reply Reply Quote 0
            • IRJI
              IRJ
              last edited by

              windows-update_o_1419675.jpg

              1 Reply Last reply Reply Quote 0
              • bbigfordB
                bbigford @IRJ
                last edited by

                @IRJ said:

                Microsoft took this feature away a while ago...

                https://blogs.technet.microsoft.com/srd/2014/05/13/ms14-025-an-update-for-group-policy-preferences/

                Thaaat really sucks. How is everyone else doing that same function anymore?

                1 Reply Last reply Reply Quote 0
                • bbigfordB
                  bbigford @IRJ
                  last edited by

                  @IRJ Doesn't look like Netwrix is going to be able to do what we need, nearly as easily as deploying a GPO to the server OU.

                  1 Reply Last reply Reply Quote 0
                  • bbigfordB
                    bbigford @IRJ
                    last edited by

                    @IRJ Checking out LAPS**

                    1 Reply Last reply Reply Quote 0
                    • dafyreD
                      dafyre
                      last edited by

                      Could you deploy a powershell script and have that execute?

                      bbigfordB 1 Reply Last reply Reply Quote 0
                      • bbigfordB
                        bbigford @dafyre
                        last edited by

                        @dafyre said:

                        Could you deploy a powershell script and have that execute?

                        I considered that. Drop it into a scheduled task somewhere. But that's not as central as having a persistent GPO. That was unsecure, I get that. But to completely undo that process instead of making it more secure? That sucks. I know convenience and security need a balance. But you should give the option of central management and just have a "beware: this is unsecure" kind of move. Or release a tool that is very similar. I'm installing LAPS on a management server. Anyone tried it?

                        1 Reply Last reply Reply Quote 0
                        • bbigfordB
                          bbigford
                          last edited by

                          LAPS looks like garbage, you can't do bulk....

                          0_1460141654554_LAPS.png

                          1 Reply Last reply Reply Quote 0
                          • IRJI
                            IRJ
                            last edited by

                            This is how I do it.

                            https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0

                            I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.

                            bbigfordB 2 Replies Last reply Reply Quote 2
                            • bbigfordB
                              bbigford @IRJ
                              last edited by

                              @IRJ 0_1460142052514_PW change.jpg

                              1 Reply Last reply Reply Quote 3
                              • wirestyle22W
                                wirestyle22
                                last edited by

                                This post is deleted!
                                1 Reply Last reply Reply Quote 0
                                • wirestyle22W
                                  wirestyle22
                                  last edited by

                                  Beat me to it 😄

                                  1 Reply Last reply Reply Quote 1
                                  • bbigfordB
                                    bbigford @IRJ
                                    last edited by

                                    @IRJ said:

                                    This is how I do it.

                                    https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0

                                    I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.

                                    Good work around I guess. So you schedule it to redeploy then? We add lots of servers to our environment regularly, so a persistent change is necessary to always make sure a server is changing the local admin, in case it is needed.

                                    IRJI 2 Replies Last reply Reply Quote 0
                                    • IRJI
                                      IRJ @bbigford
                                      last edited by

                                      @BBigford said:

                                      @IRJ said:

                                      This is how I do it.

                                      https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0

                                      I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.

                                      Good work around I guess. So you schedule it to redeploy then? We add lots of servers to our environment regularly, so a persistent change is necessary to always make sure a server is changing the local admin, in case it is needed.

                                      Yeah, but also update your server and desktop images with the latest passwords to make things easier.

                                      1 Reply Last reply Reply Quote 0
                                      • IRJI
                                        IRJ @bbigford
                                        last edited by

                                        @BBigford said:

                                        @IRJ said:

                                        This is how I do it.

                                        https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0

                                        I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.

                                        Good work around I guess. So you schedule it to redeploy then? We add lots of servers to our environment regularly, so a persistent change is necessary to always make sure a server is changing the local admin, in case it is needed.

                                        You could do it weekly, daily, or even hourly. The script has hardly any network impact.

                                        1 Reply Last reply Reply Quote 1
                                        • IRJI
                                          IRJ
                                          last edited by

                                          P.S.

                                          It is good practice to rename your local Administrator accounts to something other than Administrator. I do that with Group Policy then set the password for the updated account name once it is changed by Group Policy.

                                          1 Reply Last reply Reply Quote 0
                                          • wrx7mW
                                            wrx7m
                                            last edited by

                                            I ran into this problem a few months ago, though some time after an upgrade of the AD schema from 47 to 69.

                                            I solved it by using a bat file that runs as a startup script right after an MDT deployment.

                                            net user "My Admin" PasswordGoesHere /add /passwordreq:yes /fullname:"My Admin"
                                            net localgroup Administrators "My Admin" /add

                                            After the new PC is then moved to its final OU, LAPS is installed and a new random password is applied.

                                            bbigfordB 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post