Local User GPO - change?
-
@IRJ Checking out LAPS**
-
Could you deploy a powershell script and have that execute?
-
@dafyre said:
Could you deploy a powershell script and have that execute?
I considered that. Drop it into a scheduled task somewhere. But that's not as central as having a persistent GPO. That was unsecure, I get that. But to completely undo that process instead of making it more secure? That sucks. I know convenience and security need a balance. But you should give the option of central management and just have a "beware: this is unsecure" kind of move. Or release a tool that is very similar. I'm installing LAPS on a management server. Anyone tried it?
-
LAPS looks like garbage, you can't do bulk....
-
This is how I do it.
https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0
I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.
-
-
This post is deleted! -
Beat me to it
-
@IRJ said:
This is how I do it.
https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0
I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.
Good work around I guess. So you schedule it to redeploy then? We add lots of servers to our environment regularly, so a persistent change is necessary to always make sure a server is changing the local admin, in case it is needed.
-
@BBigford said:
@IRJ said:
This is how I do it.
https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0
I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.
Good work around I guess. So you schedule it to redeploy then? We add lots of servers to our environment regularly, so a persistent change is necessary to always make sure a server is changing the local admin, in case it is needed.
Yeah, but also update your server and desktop images with the latest passwords to make things easier.
-
@BBigford said:
@IRJ said:
This is how I do it.
https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0
I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.
Good work around I guess. So you schedule it to redeploy then? We add lots of servers to our environment regularly, so a persistent change is necessary to always make sure a server is changing the local admin, in case it is needed.
You could do it weekly, daily, or even hourly. The script has hardly any network impact.
-
P.S.
It is good practice to rename your local Administrator accounts to something other than Administrator. I do that with Group Policy then set the password for the updated account name once it is changed by Group Policy.
-
I ran into this problem a few months ago, though some time after an upgrade of the AD schema from 47 to 69.
I solved it by using a bat file that runs as a startup script right after an MDT deployment.
net user "My Admin" PasswordGoesHere /add /passwordreq:yes /fullname:"My Admin"
net localgroup Administrators "My Admin" /addAfter the new PC is then moved to its final OU, LAPS is installed and a new random password is applied.
-
@wrx7m said:
I ran into this problem a few months ago, though some time after an upgrade of the AD schema from 47 to 69.
I solved it by using a bat file that runs as a startup script right after an MDT deployment.
net user "My Admin" PasswordGoesHere /add /passwordreq:yes /fullname:"My Admin"
net localgroup Administrators "My Admin" /addAfter the new PC is then moved to its final OU, LAPS is installed and a new random password is applied.
Hypothetically, what if you had to run LAPS against 100 servers? Growing by 10 servers every month and you don't build them all, so you don't know if the passwords are all getting set locally with the right password ... Would you still feel that is the best tool since you can't run LAPS against groups of servers like an OU?
-
@BBigford Laps won't let you set the password. It assigns random ones that you can access the plain text version of via AD.
-
-
@BBigford It does everything automatically, via GPO, not really one at a time. LAPS prevents each local admin from having the same password. Obviously, if you want everything to be the same then you wouldn't want to use it.
EDIT: You can still use the bat file (mentioned above) if you want to create a specific user with a specific password and assign it to the local admins group. Keep in mind that it is plain text, as was the method you were previously using.