@mike-davis said in Local Admin PW:
I keep hearing people mention Salt. Is anyone using this in their environment to manage Windows machines? I was trying to get an idea of how much work it would be to deploy it to just do the local user password change task, and came across this in regards to installing the client on the minion:
CREATE THE UNPRIVILEGED USER THAT THE SALT MINION WILL RUN AS
Click Start > Control Panel > User Accounts.
Click Add or remove user accounts.
Click Create new account.
Enter salt-user (or a name of your preference) in the New account name field.
Select the Standard user radio button.
Click the Create Account button.
Click on the newly created user account.
Click the Create a password link.
In the New password and Confirm new password fields, provide a password (e.g "SuperSecretMinionPassword4Me!").
In the Type a password hint field, provide appropriate text (e.g. "My Salt Password").
Click the Create password button.
Close the Change an Account window.
ADD THE NEW USER TO THE ACCESS CONTROL LIST FOR THE SALT FOLDER
In a File Explorer window, browse to the path where Salt is installed (the default path is C:\Salt).
Right-click on the Salt folder and select Properties.
Click on the Security tab.
Click the Edit button.
Click the Add button.
Type the name of your designated Salt user and click the OK button.
Check the box to Allow the Modify permission.
Click the OK button.
Click the OK button to close the Salt Properties window.
UPDATE THE WINDOWS SERVICE USER FOR THE SALT-MINION SERVICE
Click Start > Administrative Tools > Services.
In the Services list, right-click on salt-minion and select Properties.
Click the Log On tab.
Click the This account radio button.
Provide the account credentials created in section A.
Click the OK button.
Click the OK button to the prompt confirming that the user has been granted the Log On As A Service right.
Click the OK button to the prompt confirming that The new logon name will not take effect until you stop and restart the service.
Right-Click on salt-minion and select Stop.
Right-Click on salt-minion and select Start.
That's a whole lot of manual stuff on each machine just to get the client installed. Am I reading that right or is there an easier way?
I use Salt to manage Windows workstations.
That's just if you don't want it to run as the 'root' user, which I've never had an any incentive to change.
Run the bootstrap script on your Salt master. point 'salt' in your DNS to the Salt master and install it on your workstations via the Windows installer, and then you have Salt operational. However, I would suggest alternatively specifying a public DNS name that you can control in order to future proof for when you're ready to move outside your LAN. However, you could just use Salt to change that too!
Of course you have to go deeper down the rabbit hole to get a 'nice' setup.