Local Admin PW

jmoore

@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me

scottalanmiller

@jmoore said in Local Admin PW:

@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me

But he also told you that it was still happening. Can't be both.

dafyre

@jmoore said in Local Admin PW:

@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me

Seems like I remember hearing about that somewhere. Salt can do this, but I've not tested it on Windows yet.

scottalanmiller

@dafyre said in Local Admin PW:

@jmoore said in Local Admin PW:

@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me

Seems like I remember hearing about that somewhere. Salt can do this, but I've not tested it on Windows yet.

Yes, Salt definitely can.

jmoore

@scottalanmiller said in Local Admin PW:

@jmoore said in Local Admin PW:

@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me

But he also told you that it was still happening. Can't be both.

your exactly right. I see the dichotomy there. I guess i don't understand what he meant.

dbeato

If you are in a Windows Environment take a look at LAPS
https://technet.microsoft.com/en-us/mt227395.aspx

Obsolesce

I was thinking some kind of PS script would work... first result of a search lead to this, which looks promising:

http://beta.itprotoday.com/management-mobility/resetting-local-administrator-password-computers

scottalanmiller

@tim_g said in Local Admin PW:

I was thinking some kind of PS script would work... first result of a search lead to this, which looks promising:

PS could definitely do it.

jmoore

@tim_g said in Local Admin PW:

I was thinking some kind of PS script would work... first result of a search lead to this, which looks promising:

http://beta.itprotoday.com/management-mobility/resetting-local-administrator-password-computers

thanks tim, checking that out too

jmoore

@dbeato said in Local Admin PW:

If you are in a Windows Environment take a look at LAPS
https://technet.microsoft.com/en-us/mt227395.aspx

thanks dbeato, i will look at that

flaxking

@scottalanmiller said in Local Admin PW:

@jmoore said in Local Admin PW:

@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me

But he also told you that it was still happening. Can't be both.

Are you sure it can't be? My guess is that whatever update removes this ability might not remove an existing GPO with it already setup (in which case there probably is a hacky way to change the password). Or maybe his boss just thinks it is still happening, I couldn't really tell you.

DustinB3403

@flaxking said in Local Admin PW:

@scottalanmiller said in Local Admin PW:

@jmoore said in Local Admin PW:

@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me

But he also told you that it was still happening. Can't be both.

Are you sure it can't be? My guess is that whatever update removes this ability might not remove an existing GPO with it already setup. Or maybe his boss just thinks it is still happening, I couldn't really tell you.

There would be an easy way to test.

Change the password locally, reboot, perform a gpupdate and see if the old password works again.

scottalanmiller

@flaxking said in Local Admin PW:

@scottalanmiller said in Local Admin PW:

@jmoore said in Local Admin PW:

@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me

But he also told you that it was still happening. Can't be both.

Are you sure it can't be? My guess is that whatever update removes this ability might not remove an existing GPO with it already setup (in which case there probably is a hacky way to change the password). Or maybe his boss just thinks it is still happening, I couldn't really tell you.

There is no reason to think that. Implementing one system would not imply any removal of another. Just as how GPO doesn't remove any other system.

coliver

@jmoore said in Local Admin PW:

@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me

I don't think it was plain text but it was such a weak cipher it might as well have been.

jmoore

@coliver said in Local Admin PW:

@jmoore said in Local Admin PW:

@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me

I don't think it was plain text but it was such a weak cipher it might as well have been.

got it. one and the same to him I am guessing

jmoore

@flaxking said in Local Admin PW:

@scottalanmiller said in Local Admin PW:

@jmoore said in Local Admin PW:

@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me

But he also told you that it was still happening. Can't be both.

Are you sure it can't be? My guess is that whatever update removes this ability might not remove an existing GPO with it already setup (in which case there probably is a hacky way to change the password). Or maybe his boss just thinks it is still happening, I couldn't really tell you.

Well he definitely said both. So maybe Microsoft took away his ability to change passwords but the gpo itself still remembers the last one and so will change it back if I go and change it ?

jmoore

@dustinb3403 said in Local Admin PW:

@flaxking said in Local Admin PW:

@scottalanmiller said in Local Admin PW:

@jmoore said in Local Admin PW:

@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me

But he also told you that it was still happening. Can't be both.

Are you sure it can't be? My guess is that whatever update removes this ability might not remove an existing GPO with it already setup. Or maybe his boss just thinks it is still happening, I couldn't really tell you.

There would be an easy way to test.

Change the password locally, reboot, perform a gpupdate and see if the old password works again.

testing that now that i have a few min free time

gjacobse

This is the simple Net Use I came up with. Granted I was running it through the ScreenConnect COMMAND line tool,.. but it worked every time.

net user USERNAME "Pa$$w0rd149" /add /passwordreq:yes /fullname:"User Name" && net localgroup administrators USERNAME /add

You can do this via Powershell - but I don't have that yet.

Mike Davis

@jmoore said in Local Admin PW:

@dafyre My boss told me that microsoft took away the ability to change the passwords via gpo because of some issue where they were being sent in plain text. I have no way to verify but thats what he told me

This is true. An automatic update now disables the ability to change the password if you were setting it that way. If you try to edit an existing policy, you get this warning:

And if you click OK, you get this where the password field is disabled:

Mike Davis

Oddly enough, the password seems to be encrypted when you view the Groups.xml file that creates that policy, but maybe it doesn't take much to reverse it. The code looks like this:

<?xml version="1.0" encoding="UTF-8"?>

-<Groups clsid="{3125E937-EB16-4b4c-9934-54123DEA4D26}">


-<User clsid="{DF5F1855-51E5-4d24-8B1A-D9AD348BA1D1}" removePolicy="0" userContext="0" uid="{E2123A2D-7D20-4C9A-A2C9-474CFAF1E5FE}" changed="2017-01-25 14:28:38" image="2" name="user">

<Properties userName="user" subAuthority="" acctDisabled="0" neverExpires="1" noChange="1" changeLogon="0" cpassword="TAF+vMr9+ieePdksvnsN/2i0T+u3P5E+PQ08jnVEgHs" description="" fullName="" newName="" action="U"/>

</User>


-<Group clsid="{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}" uid="{617359A3-9040-4F00-BFED-0FE86588FAF1}" changed="2017-01-25 14:31:18" image="2" name="Administrators (built-in)">


-<Properties description="" newName="" action="U" groupName="Administrators (built-in)" groupSid="S-1-5-32-544" removeAccounts="0" deleteAllGroups="0" deleteAllUsers="0">


-<Members>

<Member name=".\user" action="ADD" sid=""/>

</Members>

</Properties>

</Group>

</Groups>