Local Admin PW
-
Question to you all: is there a good way to change the local admin pw on several hundred machines?
Context: we recently had someone leave and while neither i or my boss are worried about him I asked what about any future employees? We have a single local admin pw on 3 different campuses with a group policy that enforces that pw. i asked what would happen if i just started changing it and my boss said the group policy would just change it back.
So in the future what is the best way to handle this type of issue?
-
@jmoore said in Local Admin PW:
Question to you all: is there a good way to change the local admin pw on several hundred machines?
Salt, Ansible, Chef, Puppet, et al.
-
@scottalanmiller I haven't used any of those yet. Are they something like chocolatey but with more features? Do you have a recommendation on which to use with a college that has 700-800 users?
-
@jmoore said in Local Admin PW:
@scottalanmiller I haven't used any of those yet. Are they something like chocolatey but with more features? Do you have a recommendation on which to use with a college that has 700-800 users?
They are DevOps style state tool systems. Any of them are fine. Ansible is probably the easiest to use.
-
@scottalanmiller Ok thanks I will start my research on them
-
Since you are already able to manage the Local Admin PW on the machines via GPO, why change?
-
@jmoore said in Local Admin PW:
i asked what would happen if i just started changing it and my boss said the group policy would just change it back.
That'll happen no matter what tool you use. They will fight over the change.
-
@scottalanmiller said in Local Admin PW:
@jmoore said in Local Admin PW:
i asked what would happen if i just started changing it and my boss said the group policy would just change it back.
That'll happen no matter what tool you use. They will fight over the change.
I would expect GPO or Salt to ultimately win.
-
@dafyre said in Local Admin PW:
@scottalanmiller said in Local Admin PW:
@jmoore said in Local Admin PW:
i asked what would happen if i just started changing it and my boss said the group policy would just change it back.
That'll happen no matter what tool you use. They will fight over the change.
I would expect GPO or Salt to ultimately win.
No, they go back and forth on their cycles.
-
@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me
-
@jmoore said in Local Admin PW:
@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me
But he also told you that it was still happening. Can't be both.
-
@jmoore said in Local Admin PW:
@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me
Seems like I remember hearing about that somewhere. Salt can do this, but I've not tested it on Windows yet.
-
@dafyre said in Local Admin PW:
@jmoore said in Local Admin PW:
@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me
Seems like I remember hearing about that somewhere. Salt can do this, but I've not tested it on Windows yet.
Yes, Salt definitely can.
-
@scottalanmiller said in Local Admin PW:
@jmoore said in Local Admin PW:
@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me
But he also told you that it was still happening. Can't be both.
your exactly right. I see the dichotomy there. I guess i don't understand what he meant.
-
If you are in a Windows Environment take a look at LAPS
https://technet.microsoft.com/en-us/mt227395.aspx -
I was thinking some kind of PS script would work... first result of a search lead to this, which looks promising:
http://beta.itprotoday.com/management-mobility/resetting-local-administrator-password-computers
-
@tim_g said in Local Admin PW:
I was thinking some kind of PS script would work... first result of a search lead to this, which looks promising:
PS could definitely do it.
-
@tim_g said in Local Admin PW:
I was thinking some kind of PS script would work... first result of a search lead to this, which looks promising:
http://beta.itprotoday.com/management-mobility/resetting-local-administrator-password-computers
thanks tim, checking that out too
-
@dbeato said in Local Admin PW:
If you are in a Windows Environment take a look at LAPS
https://technet.microsoft.com/en-us/mt227395.aspxthanks dbeato, i will look at that
-
@scottalanmiller said in Local Admin PW:
@jmoore said in Local Admin PW:
@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me
But he also told you that it was still happening. Can't be both.
Are you sure it can't be? My guess is that whatever update removes this ability might not remove an existing GPO with it already setup (in which case there probably is a hacky way to change the password). Or maybe his boss just thinks it is still happening, I couldn't really tell you.
