| Author | Messages | |
anujattree
Posts:0
 | | 06/23/2007 8:04 AM |
| Hi All
Need help....I do want to change local admin password of all computers in an example.com domain. I've made a script that does work when run in a virtual environment using 1 dc windows server 2003 and 1 windows xp sp2 client. I followed following steps when doing the same:
1> made a test ou in my example.com domain2> made a gpo and configure startup script, provided share path of the script and log file (the actions are logged in the same)
3> put 1 computer in the test ou4> start the computer and it did workthe same thing i am trying to implement in my company's domain. for testing i've made a test ou and put 5 computers there. created a gpo and provided the share path of the script. but when the computer is started no script run. we're running windows 2000 active directory domain, windows xp sp2 clients.
i've carried out some tests/facts which are as follows:1> made a simple drive mapping script and put it in logon script. it does work. it means gpo has applied on this test ou.2> put admin password change script in the same shared folder and put it in startup script. but it doesn't work.
3> working in a multiple dcs environment, and using the dc which lies in the computers site on which testing is carried out.Please let me know if you require further information in this regards. I do want to implement the same in our domain which would save a lot of time and will automate the activity.
Thanks in advance...-- RegardsAnuj Attree | | | |
| bdesmond
Posts:366
| | 06/23/2007 8:19 AM |
| You do realize that by putting this script out there anyone and
everyone in your domain can just go look at the script and write the password
down right?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Anuj Attree
Sent: Saturday, June 23, 2007 7:04 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] startup script local admin password reset
Hi All
Need help....
I do want to change local admin password of all computers in an example.com domain. I've made a script that does
work when run in a virtual environment using 1 dc windows server 2003 and 1
windows xp sp2 client. I followed following steps when doing the same:
1> made a test ou in my example.com domain
2> made a gpo and configure startup script, provided share path of the
script and log file (the actions are logged in the same)
3> put 1 computer in the test ou
4> start the computer and it did work
the same thing i am trying to implement in my company's domain. for testing
i've made a test ou and put 5 computers there. created a gpo and provided the
share path of the script. but when the computer is started no script run. we're
running windows 2000 active directory domain, windows xp sp2 clients.
i've carried out some tests/facts which are as follows:
1> made a simple drive mapping script and put it in logon script. it does
work. it means gpo has applied on this test ou.
2> put admin password change script in the same shared folder and put it in
startup script. but it doesn't work.
3> working in a multiple dcs environment, and using the dc which lies in the
computers site on which testing is carried out.
Please let me know if you require further information in this regards. I do
want to implement the same in our domain which would save a lot of time and
will automate the activity.
Thanks in advance...
--
Regards
Anuj Attree | | | |
| anujattree
Posts:0
| | 06/23/2007 8:27 AM |
| This would be a startup script and would run when computers logged into domain. Some kind of security permissions can be assigned so that only computer a/cs logging inwould be able to read and execute the same. I am not much sure about this and would carry out further tests before implementation.
If you'vea bettersolution, i would really appreciate if youshare the same with me.
Regards,
Anuj Attree
On 6/24/07, Brian Desmond wrote:
You do realize that by putting this script out there anyone and everyone in your domain can just go look at the script and write the password down right?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anuj AttreeSent:
Saturday, June 23, 2007 7:04 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] startup script local admin password reset
Hi All
Need help....I do want to change local admin password of all computers in an example.com domain. I've made a script that does work when run in a virtual environment using 1 dc windows server 2003 and 1 windows xp sp2 client. I followed following steps when doing the same:
1> made a test ou in my example.com domain2> made a gpo and configure startup script, provided share path of the script and log file (the actions are logged in the same)
3> put 1 computer in the test ou4> start the computer and it did workthe same thing i am trying to implement in my company's domain. for testing i've made a test ou and put 5 computers there. created a gpo and provided the share path of the script. but when the computer is started no script run. we're running windows 2000 active directory domain, windows xp sp2 clients.
i've carried out some tests/facts which are as follows:1> made a simple drive mapping script and put it in logon script. it does work. it means gpo has applied on this test ou.2> put admin password change script in the same shared folder and put it in startup script. but it doesn't work.
3> working in a multiple dcs environment, and using the dc which lies in the computers site on which testing is carried out.Please let me know if you require further information in this regards. I do want to implement the same in our domain which would save a lot of time and will automate the activity.
Thanks in advance...
-- RegardsAnuj Attree -- RegardsAnuj Attree | | | |
| skaufman-itt
Posts:22
| | 06/23/2007 8:47 AM |
| In my environment, I have to regularly change the local administrator password on the machines (and other maintenance items). I have cobled together vbscript & batch files to do these.
Initially, how I set it up:
Create a new GPO linked to the OUs that contains a computer startup script.
Set the security on the GPO so that domain computers have apply (removed everyone from apply)
Put the script/files in the GPO folder (easiest to do when you browse for the computer startup script--copy paste the file)
Let the script run for one week
Deleted the script "FILE" -- not the GPO
Computers would access the file \etc">\\doman.com\sysvol\domain.com\policies\\etc....
I have since changed this
THe comptuer startup script GPO still references the same script file (as well as set other computer related items)
The computer startup script file calls another vbscript file to change the local admin password
The secondary vbscript file is acl'd so that only domain computers can read it behind a hidden share
When I need to change the local admin password, I edit the original script on my machine with the new password & copy it to the file share
After a week, I delete the script from the file share
Does it totally protect the local admin password .... no
Does it make the casual user harder to find it .. yes (in my environment)
Is this the best option ... no
HTH
Scott Kaufman, MCSE Lead Network Administrator ITT ESI, Inc. Office: (317) 706-9266 Cell: (317) 201-0390 SKaufman@ITTESI.com
From: ActiveDir-owner@mail.activedir.org on behalf of Anuj AttreeSent: Sat 6/23/2007 8:27 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] startup script local admin password reset
This would be a startup script and would run when computers logged into domain. Some kind of security permissions can be assigned so that only computer a/cs logging inwould be able to read and execute the same. I am not much sure about this and would carry out further tests before implementation.
If you'vea bettersolution, i would really appreciate if youshare the same with me.
Regards,
Anuj Attree
On 6/24/07, Brian Desmond wrote:
You do realize that by putting this script out there anyone and everyone in your domain can just go look at the script and write the password down right?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anuj AttreeSent: Saturday, June 23, 2007 7:04 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] startup script local admin password reset
Hi All
Need help....I do want to change local admin password of all computers in an example.com domain. I've made a script that does work when run in a virtual environment using 1 dc windows server 2003 and 1 windows xp sp2 client. I followed following steps when doing the same: 1> made a test ou in my example.com domain2> made a gpo and configure startup script, provided share path of the script and log file (the actions are logged in the same) 3> put 1 computer in the test ou4> start the computer and it did workthe same thing i am trying to implement in my company's domain. for testing i've made a test ou and put 5 computers there. created a gpo and provided the share path of the script. but when the computer is started no script run. we're running windows 2000 active directory domain, windows xp sp2 clients. i've carried out some tests/facts which are as follows:1> made a simple drive mapping script and put it in logon script. it does work. it means gpo has applied on this test ou.2> put admin password change script in the same shared folder and put it in startup script. but it doesn't work. 3> working in a multiple dcs environment, and using the dc which lies in the computers site on which testing is carried out.Please let me know if you require further information in this regards. I do want to implement the same in our domain which would save a lot of time and will automate the activity. Thanks in advance...
-- RegardsAnuj Attree -- RegardsAnuj Attree | | | |
| amulnick
Posts:138
| | 06/23/2007 8:49 AM |
| Why a startup script? Why not just remotely change the passwords? You don't really have a guarantee that the machines will even be rebooted (think laptop that hibernates vs. reboot).When you put the share in the script, is that share the netlogon share? or something custom?
What else do you have at your disposal? Do you have a patching or software distribution system? I do agree with Brian that using something like that can be dangerous and should be protected so that it doesn't get misused.
AlOn 6/23/07, Anuj Attree wrote:
This would be a startup script and would run when computers logged into domain. Some kind of security permissions can be assigned so that only computer a/cs logging inwould be able to read and execute the same. I am not much sure about this and would carry out further tests before implementation.
If you'vea bettersolution, i would really appreciate if youshare the same with me.
Regards,
Anuj Attree
On 6/24/07, Brian Desmond > wrote:
You do realize that by putting this script out there anyone and everyone in your domain can just go look at the script and write the password down right?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anuj AttreeSent:
Saturday, June 23, 2007 7:04 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] startup script local admin password reset
Hi All
Need help....I do want to change local admin password of all computers in an example.com domain. I've made a script that does work when run in a virtual environment using 1 dc windows server 2003 and 1 windows xp sp2 client. I followed following steps when doing the same:
1> made a test ou in my example.com domain2> made a gpo and configure startup script, provided share path of the script and log file (the actions are logged in the same)
3> put 1 computer in the test ou4> start the computer and it did workthe same thing i am trying to implement in my company's domain. for testing i've made a test ou and put 5 computers there. created a gpo and provided the share path of the script. but when the computer is started no script run. we're running windows 2000 active directory domain, windows xp sp2 clients.
i've carried out some tests/facts which are as follows:1> made a simple drive mapping script and put it in logon script. it does work. it means gpo has applied on this test ou.2> put admin password change script in the same shared folder and put it in startup script. but it doesn't work.
3> working in a multiple dcs environment, and using the dc which lies in the computers site on which testing is carried out.Please let me know if you require further information in this regards. I do want to implement the same in our domain which would save a lot of time and will automate the activity.
Thanks in advance...
-- RegardsAnuj Attree -- RegardsAnuj Attree | | | |
| listmail
Posts:454
| | 06/23/2007 9:44 AM |
| Do the users have the ability to schedule tasks or install
services? If so, they can easily get to the startup script.Can they run a
network sniffer? If so, they can easily get to the startup script.
Oh by the way, if they have physical access to the
workstations (and I expect they do) and they have any real level of
understanding they can do the things above whether you think so or
not.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anuj
AttreeSent: Saturday, June 23, 2007 8:28 PMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] startup script
local admin password reset
This would be a startup script and would run when computers logged into
domain. Some kind of security permissions can be assigned so that only computer
a/cs logging inwould be able to read and execute the same. I am not much
sure about this and would carry out further tests before implementation.
If you'vea bettersolution, i would really appreciate if
youshare the same with me.
Regards,
Anuj Attree
On 6/24/07, Brian
Desmond
wrote:
You do realize that by
putting this script out there anyone and everyone in your domain can just go
look at the script and write the password down right?
Thanks,
Brian
Desmond
brian@briandesmond.com
c -
312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anuj
AttreeSent: Saturday, June 23, 2007 7:04 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir]
startup script local admin password reset
Hi All
Need help....I do want to change local admin password of all
computers in an example.com domain. I've made a
script that does work when run in a virtual environment using 1 dc windows
server 2003 and 1 windows xp sp2 client. I followed following steps when doing
the same: 1> made a test ou in my example.com domain2> made
a gpo and configure startup script, provided share path of the script and log
file (the actions are logged in the same) 3> put 1 computer in the test
ou4> start the computer and it did workthe same thing i
am trying to implement in my company's domain. for testing i've made a test ou
and put 5 computers there. created a gpo and provided the share path of the
script. but when the computer is started no script run. we're running windows
2000 active directory domain, windows xp sp2 clients. i've carried out
some tests/facts which are as follows:1> made a simple drive mapping
script and put it in logon script. it does work. it means gpo has applied on
this test ou.2> put admin password change script in the same shared
folder and put it in startup script. but it doesn't work. 3> working in
a multiple dcs environment, and using the dc which lies in the computers site
on which testing is carried out.Please let me know if
you require further information in this regards. I do want to implement the
same in our domain which would save a lot of time and will automate the
activity. Thanks in advance...
-- RegardsAnuj Attree
--
RegardsAnuj Attree | | | |
| anujattree
Posts:0
| | 06/23/2007 10:05 AM |
| Hi Joe
Thanks for your concern...
I just want a way to do this task (like many others)automatically. Scripting give me a hope. If there are security implications then i will find and implement the same and only after that the solutionwould be in affect.
And by the way, they don't have the ability to schedule tasks or install services. Also, users are not able to install any s/w without IT approval.
Right now i m not able to run this script and would request you all to suggest a solutionwith securityconcerns.The solution/s could be different but my objective is to automate this task.
On 6/24/07, joe wrote:
Do the users have the ability to schedule tasks or install services? If so, they can easily get to the startup script.Can they run a network sniffer? If so, they can easily get to the startup script.
Oh by the way, if they have physical access to the workstations (and I expect they do) and they have any real level of understanding they can do the things above whether you think so or not.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Anuj AttreeSent: Saturday, June 23, 2007 8:28 PM
To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] startup script local admin password reset
This would be a startup script and would run when computers logged into domain. Some kind of security permissions can be assigned so that only computer a/cs logging inwould be able to read and execute the same. I am not much sure about this and would carry out further tests before implementation.
If you'vea bettersolution, i would really appreciate if youshare the same with me.
Regards,
Anuj Attree
On 6/24/07, Brian Desmond > wrote:
You do realize that by putting this script out there anyone and everyone in your domain can just go look at the script and write the password down right?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anuj AttreeSent:
Saturday, June 23, 2007 7:04 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] startup script local admin password reset
Hi All
Need help....I do want to change local admin password of all computers in an example.com domain. I've made a script that does work when run in a virtual environment using 1 dc windows server 2003 and 1 windows xp sp2 client. I followed following steps when doing the same:
1> made a test ou in my example.com domain2> made a gpo and configure startup script, provided share path of the script and log file (the actions are logged in the same)
3> put 1 computer in the test ou4> start the computer and it did workthe same thing i am trying to implement in my company's domain. for testing i've made a test ou and put 5 computers there. created a gpo and provided the share path of the script. but when the computer is started no script run. we're running windows 2000 active directory domain, windows xp sp2 clients.
i've carried out some tests/facts which are as follows:1> made a simple drive mapping script and put it in logon script. it does work. it means gpo has applied on this test ou.2> put admin password change script in the same shared folder and put it in startup script. but it doesn't work.
3> working in a multiple dcs environment, and using the dc which lies in the computers site on which testing is carried out.Please let me know if you require further information in this regards. I do want to implement the same in our domain which would save a lot of time and will automate the activity.
Thanks in advance...
-- RegardsAnuj Attree -- RegardsAnuj Attree
-- RegardsAnuj Attree | | | |
| bdesmond
Posts:366
| | 06/23/2007 10:26 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Read Al’s message again. Doing this centrally is about the only
way you can guarantee every machine is touched as well as control access to the
password file.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Anuj Attree
Sent: Saturday, June 23, 2007 9:05 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] startup script local admin password reset
Hi Joe
Thanks for your concern...
I just want a way to do this task (like many
others)automatically. Scripting give me a hope. If there are security
implications then i will find and implement the same and only after that the
solutionwould be in affect.
And by the way, they don't have the ability to schedule
tasks or install services. Also, users are not able to install any s/w without
IT approval.
Right now i m not able to run this script and would request
you all to suggest a solutionwith securityconcerns.The
solution/s could be different but my objective is to automate this task.
On 6/24/07, joe wrote:
Do the users have the ability to schedule tasks or install
services? If so, they can easily get to the startup script.Can they run a
network sniffer? If so, they can easily get to the startup script.
Oh by the way, if they have physical access to the workstations
(and I expect they do) and they have any real level of understanding they can
do the things above whether you think so or not.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto: ActiveDir-owner@mail.activedir.org]
On Behalf Of Anuj Attree
Sent: Saturday, June 23, 2007 8:28 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] startup script local admin password reset
This would be a startup script and would run when computers
logged into domain. Some kind of security permissions can be assigned so that
only computer a/cs logging inwould be able to read and execute the same.
I am not much sure about this and would carry out further tests before
implementation.
If you'vea bettersolution, i would really
appreciate if youshare the same with me.
Regards,
Anuj Attree
On 6/24/07, Brian Desmond
wrote:
You do realize that by
putting this script out there anyone and everyone in your domain can just go
look at the script and write the password down right?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Anuj Attree
Sent: Saturday, June 23, 2007 7:04 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] startup script local admin password reset
Hi All
Need help....
I do want to change local admin password of all computers in an example.com domain. I've made a
script that does work when run in a virtual environment using 1 dc windows
server 2003 and 1 windows xp sp2 client. I followed following steps when doing
the same:
1> made a test ou in my example.com
domain
2> made a gpo and configure startup script, provided share path of the
script and log file (the actions are logged in the same)
3> put 1 computer in the test ou
4> start the computer and it did work
the same thing i am trying to implement in my company's domain. for testing
i've made a test ou and put 5 computers there. created a gpo and provided the
share path of the script. but when the computer is started no script run. we're
running windows 2000 active directory domain, windows xp sp2 clients.
i've carried out some tests/facts which are as follows:
1> made a simple drive mapping script and put it in logon script. it does
work. it means gpo has applied on this test ou.
2> put admin password change script in the same shared folder and put it in
startup script. but it doesn't work.
3> working in a multiple dcs environment, and using the dc which lies in the
computers site on which testing is carried out.
Please let me know if you require further information in this regards. I do
want to implement the same in our domain which would save a lot of time and
will automate the activity.
Thanks in advance...
--
Regards
Anuj Attree
--
Regards
Anuj Attree
--
Regards
Anuj Attree | | | |
| RichardKline
Posts:10
| | 06/23/2007 10:31 AM |
| We found that a
traditional VBS startup script was too insecure.The new password was
visible within a plain text or easily decrypted file.
I wrote a .net
application which remotely attaches to workstations and changes the local
administrator password. If you follow this route, I recommend that you
store the change attempt results (success or reason for failure) into a database
for control and management review.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anuj
AttreeSent: Saturday, June 23, 2007 8:04 PMTo:
activedir@mail.activedir.orgSubject: [ActiveDir] startup script local
admin password reset
Hi All
Need help....I do want to change local admin password of all
computers in an example.com domain. I've made a
script that does work when run in a virtual environment using 1 dc windows
server 2003 and 1 windows xp sp2 client. I followed following steps when doing
the same: 1> made a test ou in my example.com domain2> made a gpo and
configure startup script, provided share path of the script and log file (the
actions are logged in the same) 3> put 1 computer in the test ou4>
start the computer and it did workthe same thing i am trying to
implement in my company's domain. for testing i've made a test ou and put 5
computers there. created a gpo and provided the share path of the script. but
when the computer is started no script run. we're running windows 2000 active
directory domain, windows xp sp2 clients. i've carried out some tests/facts
which are as follows:1> made a simple drive mapping script and put it in
logon script. it does work. it means gpo has applied on this test ou.2>
put admin password change script in the same shared folder and put it in startup
script. but it doesn't work. 3> working in a multiple dcs environment,
and using the dc which lies in the computers site on which testing is carried
out.Please let me know if you require further
information in this regards. I do want to implement the same in our domain which
would save a lot of time and will automate the activity. Thanks in
advance...-- RegardsAnuj Attree | | | |
| katrin
Posts:4
| | 06/24/2007 1:51 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Hi,
I usually use a little tool of my desktop which changes the password
remotely on all machines (run as domain admin) – it gives you an result
screen letting you know which computer were turned off etc. Unfortunately I
forgot the name of the tool … (I am on maternity leave and haven’t
used that tool for a couple of month). I think if you search the net for it you
will find a few of them… Time it takes: my input may be 2 minutes and
runs depending on how many computers are in your network)
Hope this helps,
Kat
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: Sunday, 24 June 2007 12:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup script local admin password reset
We found that a traditional VBS startup script was too
insecure.The new password was visible within a plain text or easily
decrypted file.
I wrote a .net application which remotely attaches to workstations
and changes the local administrator password. If you follow this route, I
recommend that you store the change attempt results (success or reason for
failure) into a database for control and management review.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Anuj Attree
Sent: Saturday, June 23, 2007 8:04 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] startup script local admin password reset
Hi All
Need help....
I do want to change local admin password of all computers in an example.com domain. I've made a script that does
work when run in a virtual environment using 1 dc windows server 2003 and 1
windows xp sp2 client. I followed following steps when doing the same:
1> made a test ou in my example.com domain
2> made a gpo and configure startup script, provided share path of the
script and log file (the actions are logged in the same)
3> put 1 computer in the test ou
4> start the computer and it did work
the same thing i am trying to implement in my company's domain. for testing
i've made a test ou and put 5 computers there. created a gpo and provided the
share path of the script. but when the computer is started no script run. we're
running windows 2000 active directory domain, windows xp sp2 clients.
i've carried out some tests/facts which are as follows:
1> made a simple drive mapping script and put it in logon script. it does
work. it means gpo has applied on this test ou.
2> put admin password change script in the same shared folder and put it in
startup script. but it doesn't work.
3> working in a multiple dcs environment, and using the dc which lies in the
computers site on which testing is carried out.
Please let me know if you require further information in this regards. I do
want to implement the same in our domain which would save a lot of time and
will automate the activity.
Thanks in advance...
--
Regards
Anuj Attree | | | |
| amulnick
Posts:138
| | 06/24/2007 1:54 AM |
| Do you have a software distribution method?
Al
On 6/24/07, Matheesha Weerasinghe wrote:
The goldbuilds are given to onsite admins who can rebuild the machine if deemed necessary. We allow them to jon the machines to the domain and they have local admin rights on the machine (via the domain accounts). They dont need to know the local admin password and neither do the users. Hence the period recycling of passwords using the script.
M@
On 24/06/07, Al Mulnick > wrote:
Seriously? Why are you not able to set the local administrator password to an account you want? You can rename it (so it's not human readable as administrator) and set the password during the build process. You shouldn't build one without a password - the default in Vista if I recall correctly.
On 6/24/07, Matheesha Weerasinghe < matheesha@gmail.com
> wrote:
Remote resetting with an app sounds very good. But the reason we use startup scripts is to ensure the passwords get reset to the values we want after the workstation is rebuilt and joined to the domain.
Other than adding the task of "resetting the password manually" to the process of rebuilding a workstation, I cant think of any other way to handle machine rebuilds from gold builds.
Any suggestions?
M@
On 24/06/07, Richard Kline > wrote:
We found that a traditional VBS startup script was too insecure.The new password was visible within a plain text or easily decrypted file.
I wrote a .net application which remotely attaches to workstations and changes the local administrator password. If you follow this route, I recommend that you store the change attempt results (success or reason for failure) into a database for control and management review.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anuj Attree
Sent: Saturday, June 23, 2007 8:04 PMTo: activedir@mail.activedir.org Subject:
[ActiveDir] startup script local admin password reset
Hi All
Need help....I do want to change local admin password of all computers in an example.com domain. I've made a script that does work when run in a virtual environment using 1 dc windows server 2003 and 1 windows xp sp2 client. I followed following steps when doing the same:
1> made a test ou in my example.com domain2> made a gpo and configure startup script, provided share path of the script and log file (the actions are logged in the same)
3> put 1 computer in the test ou4> start the computer and it did workthe same thing i am trying to implement in my company's domain. for testing i've made a test ou and put 5 computers there. created a gpo and provided the share path of the script. but when the computer is started no script run. we're running windows 2000 active directory domain, windows xp sp2 clients.
i've carried out some tests/facts which are as follows:1> made a simple drive mapping script and put it in logon script. it does work. it means gpo has applied on this test ou.2> put admin password change script in the same shared folder and put it in startup script. but it doesn't work.
3> working in a multiple dcs environment, and using the dc which lies in the computers site on which testing is carried out.Please let me know if you require further information in this regards. I do want to implement the same in our domain which would save a lot of time and will automate the activity.
Thanks in advance...-- RegardsAnuj Attree | | | |
| bdesmond
Posts:366
| | 06/24/2007 2:23 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
I’d be curious to know how reliable these tools are in a
distributed organization where slow or high latency wan links aren’t out of the
ordinary and it may take a couple tries to make things work without timeouts/too
many lost packets.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Katrin Wilhelm
Sent: Sunday, June 24, 2007 12:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup script local admin password reset
Hi,
I usually use a little tool of my desktop which changes the
password remotely on all machines (run as domain admin) – it gives you an
result screen letting you know which computer were turned off etc.
Unfortunately I forgot the name of the tool … (I am on maternity leave and
haven’t used that tool for a couple of month). I think if you search the net
for it you will find a few of them… Time it takes: my input may be 2 minutes
and runs depending on how many computers are in your network)
Hope this helps,
Kat
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Richard Kline
Sent: Sunday, 24 June 2007 12:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup script local admin password reset
We found that a traditional VBS startup script was too
insecure.The new password was visible within a plain text or easily
decrypted file.
I wrote a .net application which remotely attaches to workstations
and changes the local administrator password. If you follow this route, I
recommend that you store the change attempt results (success or reason for
failure) into a database for control and management review.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anuj Attree
Sent: Saturday, June 23, 2007 8:04 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] startup script local admin password reset
Hi All
Need help....
I do want to change local admin password of all computers in an example.com domain. I've made a script that does
work when run in a virtual environment using 1 dc windows server 2003 and 1
windows xp sp2 client. I followed following steps when doing the same:
1> made a test ou in my example.com domain
2> made a gpo and configure startup script, provided share path of the
script and log file (the actions are logged in the same)
3> put 1 computer in the test ou
4> start the computer and it did work
the same thing i am trying to implement in my company's domain. for testing
i've made a test ou and put 5 computers there. created a gpo and provided the
share path of the script. but when the computer is started no script run. we're
running windows 2000 active directory domain, windows xp sp2 clients.
i've carried out some tests/facts which are as follows:
1> made a simple drive mapping script and put it in logon script. it does
work. it means gpo has applied on this test ou.
2> put admin password change script in the same shared folder and put it in
startup script. but it doesn't work.
3> working in a multiple dcs environment, and using the dc which lies in the
computers site on which testing is carried out.
Please let me know if you require further information in this regards. I do
want to implement the same in our domain which would save a lot of time and
will automate the activity.
Thanks in advance...
--
Regards
Anuj Attree | | | |
| rboswell
Posts:20
| | 06/24/2007 5:05 AM |
| It's even easier than that. Just reset the file association
for *.vbs to Notepad andthe script will open up whenever the GPO applies
it. I used to do this when I was in Application Engineering to determine what
the logon scripts did (and try to determine why it took so long to
logon).
RPMEE (http://www.liebsoft.com/index.cfm/cms?id=270)
is expensive but in the end which costs more? The software or the damage
control?
Richard Boswell | Systems
Engineer | Windows Server Engineering | Visa | 12357-C Riata Trace Pkwy, Austin, TX
78727 | Work - (512) 506-4643 | Cell - (512) 750-4583
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Sunday, June 24, 2007 10:09 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup script
local admin password reset
> And by the way, they don't have the ability to
schedule tasks or install services. Also, users are not able to install any s/w
without IT approval.
Is
this a "for certain" or is this, we tried our best and we think we got it? I
expect the later as the former is pretty darn near impossible to achieve without
basically installing root kits that you control and they interrogate every
single system request. Windows machines, and many OSes honestly, aren't meant to
truly and completely protect against the person sitting right there in front of
the machine; especially once they have admin creds. They are like Al mentioned,
something that will stop the casual passer by but if someone is serious, they
will bypass it. Once someone has admin level access on a machine they can pretty
much dig into anything you do and it is very difficult if not impossible to stop
them.
On the
positive side, this means you have kept the password out of the casual users
(and programs)which likely will account for 99%+ of your environment. On
the negative side, you aren't keeping it away from the people who are intent on
getting it and those are the people you need to be afraid of in the first place.
Using
a logon script to change a password, you have several key vectors you have to
consider.
1.
Someone can read the password in the clear as it comes across the wire. This can
be done by installing software on the local machine or it can be done by putting
the computer on a hub and putting another you don't control on the hub and
having it watch the network traffic. The only way to protect against this is to
make sure there is never any traffic "in the clear" with the password(s)
involved.
2.
Someone can impersonate the computer with local system or network service
accounts and go to the GPO and read the password directly.The only way to
protect against this is to make sure that the password isn't stored "in the
clear" anywhere that the computer can read it.
3.
Someone could run software that knows how to use debugger rights and can pick
the logon script right out of the GPO process. Sort of a more technical way
ofdoing 1 and 2 BUT if they are here, they can also see the password as it
is decrypted or whatever to set it because you need a clear text password to set
the password.
4.
Someone can intercept the password change on the machine with a password change
notification package DLL. With almost all systems this is pretty much game over
if someone can do this and it only requires admin rights to do it and most
software monitoring packages that prevent users from running software DO NOT
even look at this type of attack. Password change notification filters are
trivial to write poorly and you only need a poorly written one to get the
password. Think about this every time someone releases an exploit thatis
an escalation exploit. Or if you let people run with creds that they can
escalate (like power users for example) or if you just let them run as admins.
5.
Someone can intercept the password change by hooking the password change API
calls directly, easier to do number 4 but still a vector to consider. Has same
capabilities of 4.
6.Someone can dump the password hash and attempt to
crack it. Oldie but goodie.
These
are just the ones I thought up off the top of my head quickly. If I really sat
down and put my noodle into it I could probably find some additional ways to
pull this off.
The
main thing to note is that these are 6 great reasons not to use a common
password across multiple machines. Once someone has the password, they own all
of the machines. Each machine should have a password specific to it. That way if
someone does compromise the system, they have the password only for that system.
This also means that you can't have the mechanism to generate the passwords so
it isn't visible through any of those mechanisms either or else someone has the
mechanism and that is likely going to be as good as having the passwords
themselves.
Now if
the person is simply into knowing the passwords on the local system they have
two additional vectors that I just thought of...
7.
Someone can use one of theseveral offline reset the admin account packages
to reset the password.
8.
Someone could use a password filter to reject the attempts to change that
password. This could also be handled by hooking the APIs.Again, this won't
require great code, just very simple code. I once wrote and sold a password
filter that was specifically for locking down the default admin account so
people couldn't SET the password, they had to know the old password and use
CHANGE to modify it. It simply was a case of looking at the RID, seeing it was
the well-known RID for admin and then rejecting all SET attempts.
Tools
that go out and force this change remotely are an option, but again, you will
note several of the items above will compromise this. Also this doesn't scale
all that well. Some form of agent is likely the best way of handling it and if
that agent can start prior to any compromise code (i.e. so it can look at the
password API function call addresses before they can be compromised) and
validate that no one has installed any password filters/change notification
packages you are almost there... Except for people who have debug rights and can
then watch for that agent to send the passwords into the password change API. Of
course at this point, the bar is pretty high because as we discussed previously,
not many people are into debugging apps. But again, that element you don't want
to have the password are probably the ones that do know how to debug. So again
it comes back to making sure you don't have the same password everywhere and
making sure the algorithm isn't available for the debugger to
see.
One
other thing to keep in mind if you go forward with logon scripts is that you
make sure you have some mechanism to feed back that a password has been changed.
Don't assume it has. Bad security precedent there.
In
summary, this is not in any shape or form a trivial problem to solve. If you
have someone who is determined to get your password and they have any ability to
learn Windows details they will figure out how to bypass pretty much anything
you can do. The main thing I try to remind everyone with security... You can
NEVER prove something secure, you can only prove it is insecure. Just because
you think it is secure simply means it is secure from you because you can't
think of a way around it... Someone else may and probably is better than you and
can get around it.This is the point that you have to do everything you can (and
makes sense) to mitigate the risks of a compromise. You mustunderstand
what the risks actually are so you can understand the level you should go to to
mitigate them.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anuj
AttreeSent: Saturday, June 23, 2007 10:05 PMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] startup script
local admin password reset
Hi Joe
Thanks for your concern...
I just want a way to do this task (like many others)automatically.
Scripting give me a hope. If there are security implications then i will find
and implement the same and only after that the solutionwould be in affect.
And by the way, they don't have the ability to schedule tasks or install
services. Also, users are not able to install any s/w without IT approval.
Right now i m not able to run this script and would request you all to
suggest a solutionwith securityconcerns.The solution/s could
be different but my objective is to automate this task.
On 6/24/07, joe
wrote:
Do the
users have the ability to schedule tasks or install services? If so, they can
easily get to the startup script.Can they run a network sniffer? If so,
they can easily get to the startup script.
Oh by the
way, if they have physical access to the workstations (and I expect they do)
and they have any real level of understanding they can do the things above
whether you think so or not.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto: ActiveDir-owner@mail.activedir.org] On Behalf Of Anuj
AttreeSent: Saturday, June 23, 2007 8:28 PM To: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] startup script local admin password reset
This would be a startup script and would run when computers logged into
domain. Some kind of security permissions can be assigned so that only
computer a/cs logging inwould be able to read and execute the same. I am
not much sure about this and would carry out further tests before
implementation.
If you'vea bettersolution, i would really appreciate if
youshare the same with me.
Regards,
Anuj Attree
On 6/24/07, Brian
Desmond > wrote:
You do realize that by
putting this script out there anyone and everyone in your domain can just go
look at the script and write the password down right?
Thanks,
Brian
Desmond
brian@briandesmond.com
c -
312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Anuj AttreeSent: Saturday, June 23, 2007 7:04
PMTo: activedir@mail.activedir.orgSubject:
[ActiveDir] startup script local admin password reset
Hi All
Need help....I do want to change local admin password of
all computers in an example.com domain. I've made a
script that does work when run in a virtual environment using 1 dc windows
server 2003 and 1 windows xp sp2 client. I followed following steps when
doing the same: 1> made a test ou in my example.com domain2>
made a gpo and configure startup script, provided share path of the script
and log file (the actions are logged in the same) 3> put 1 computer
in the test ou4> start the computer and it did workthe
same thing i am trying to implement in my company's domain. for testing i've
made a test ou and put 5 computers there. created a gpo and provided the
share path of the script. but when the computer is started no script run.
we're running windows 2000 active directory domain, windows xp sp2 clients.
i've carried out some tests/facts which are as follows:1> made a
simple drive mapping script and put it in logon script. it does work. it
means gpo has applied on this test ou.2> put admin password change
script in the same shared folder and put it in startup script. but it
doesn't work. 3> working in a multiple dcs environment, and using the
dc which lies in the computers site on which testing is carried
out.Please let me know if you require further
information in this regards. I do want to implement the same in our domain
which would save a lot of time and will automate the activity.
Thanks in advance...
-- RegardsAnuj Attree
--
RegardsAnuj Attree -- RegardsAnuj Attree | | | |
| anujattree
Posts:0
| | 06/24/2007 5:10 AM |
| I think these kind of tools will not help me as we've turned of file and printer sharing in LAN. Moreover if these tools depends on someother ports than implementation of the same wouldn't be possible.
On 6/24/07, Brian Desmond wrote:
I'd be curious to know how reliable these tools are in a distributed organization where slow or high latency wan links aren't out of the ordinary and it may take a couple tries to make things work without timeouts/too many lost packets.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Katrin WilhelmSent:
Sunday, June 24, 2007 12:52 AM
To: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] startup script local admin password reset
Hi,
I usually use a little tool of my desktop which changes the password remotely on all machines (run as domain admin) – it gives you an result screen letting you know which computer were turned off etc. Unfortunately I forgot the name of the tool … (I am on maternity leave and haven't used that tool for a couple of month). I think if you search the net for it you will find a few of them… Time it takes: my input may be 2 minutes and runs depending on how many computers are in your network)
Hope this helps,
Kat
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard KlineSent:
Sunday, 24 June 2007 12:32 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup script local admin password reset
We found that a traditional VBS startup script was too insecure.The new password was visible within a plain text or easily decrypted file.
I wrote a .net application which remotely attaches to workstations and changes the local administrator password. If you follow this route, I recommend that you store the change attempt results (success or reason for failure) into a database for control and management review.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Anuj AttreeSent: Saturday, June 23, 2007 8:04 PMTo: activedir@mail.activedir.org
Subject: [ActiveDir] startup script local admin password reset
Hi All
Need help....I do want to change local admin password of all computers in an example.com
domain. I've made a script that does work when run in a virtual environment using 1 dc windows server 2003 and 1 windows xp sp2 client. I followed following steps when doing the same: 1> made a test ou in my
example.com domain2> made a gpo and configure startup script, provided share path of the script and log file (the actions are logged in the same)
3> put 1 computer in the test ou4> start the computer and it did workthe same thing i am trying to implement in my company's domain. for testing i've made a test ou and put 5 computers there. created a gpo and provided the share path of the script. but when the computer is started no script run. we're running windows 2000 active directory domain, windows xp sp2 clients.
i've carried out some tests/facts which are as follows:1> made a simple drive mapping script and put it in logon script. it does work. it means gpo has applied on this test ou.2> put admin password change script in the same shared folder and put it in startup script. but it doesn't work.
3> working in a multiple dcs environment, and using the dc which lies in the computers site on which testing is carried out.Please let me know if you require further information in this regards. I do want to implement the same in our domain which would save a lot of time and will automate the activity.
Thanks in advance...
-- RegardsAnuj Attree -- RegardsAnuj Attree | | | |
| matheesha
Posts:14
| | 06/24/2007 6:49 AM |
| Remote resetting with an app sounds very good. But the reason we use startup scripts is to ensure the passwords get reset to the values we want after the workstation is rebuilt and joined to the domain.
Other than adding the task of "resetting the password manually" to the process of rebuilding a workstation, I cant think of any other way to handle machine rebuilds from gold builds.
Any suggestions?
M@
On 24/06/07, Richard Kline wrote:
We found that a traditional VBS startup script was too insecure.The new password was visible within a plain text or easily decrypted file.
I wrote a .net application which remotely attaches to workstations and changes the local administrator password. If you follow this route, I recommend that you store the change attempt results (success or reason for failure) into a database for control and management review.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Anuj AttreeSent: Saturday, June 23, 2007 8:04 PMTo: activedir@mail.activedir.org
Subject: [ActiveDir] startup script local admin password reset
Hi All
Need help....I do want to change local admin password of all computers in an example.com domain. I've made a script that does work when run in a virtual environment using 1 dc windows server 2003 and 1 windows xp sp2 client. I followed following steps when doing the same:
1> made a test ou in my example.com domain2> made a gpo and configure startup script, provided share path of the script and log file (the actions are logged in the same)
3> put 1 computer in the test ou4> start the computer and it did workthe same thing i am trying to implement in my company's domain. for testing i've made a test ou and put 5 computers there. created a gpo and provided the share path of the script. but when the computer is started no script run. we're running windows 2000 active directory domain, windows xp sp2 clients.
i've carried out some tests/facts which are as follows:1> made a simple drive mapping script and put it in logon script. it does work. it means gpo has applied on this test ou.2> put admin password change script in the same shared folder and put it in startup script. but it doesn't work.
3> working in a multiple dcs environment, and using the dc which lies in the computers site on which testing is carried out.Please let me know if you require further information in this regards. I do want to implement the same in our domain which would save a lot of time and will automate the activity.
Thanks in advance...-- RegardsAnuj Attree | | | |
| MThommes
Posts:74
| | 06/24/2007 7:37 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
You might want
to check out this utility. I have not used it but the source has always
been a good resource for me:
http://searchwincomputing.techtarget.com/tip/0,289483,sid68_gci1083716,00.html
Mike Thommes
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anuj Attree
Sent: Saturday, June 23, 2007 7:28
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] startup
script local admin password reset
This would be a startup script and would run when computers logged into
domain. Some kind of security permissions can be assigned so that only computer
a/cs logging inwould be able to read and execute the same. I am not much
sure about this and would carry out further tests before implementation.
If you'vea bettersolution, i would really appreciate if
youshare the same with me.
Regards,
Anuj Attree
On 6/24/07, Brian
Desmond
wrote:
You do realize that by
putting this script out there anyone and everyone in your domain can just go
look at the script and write the password down right?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Anuj Attree
Sent: Saturday, June 23, 2007 7:04
PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] startup
script local admin password reset
Hi All
Need
help....
I do want to change local admin password of all computers in an example.com domain. I've made a
script that does work when run in a virtual environment using 1 dc windows
server 2003 and 1 windows xp sp2 client. I followed following steps when doing
the same:
1> made a test ou in my example.com
domain
2> made a gpo and configure startup script, provided share path of the
script and log file (the actions are logged in the same)
3> put 1 computer in the test ou
4> start the computer and it did work
the same thing i am trying to implement in my company's domain. for testing
i've made a test ou and put 5 computers there. created a gpo and provided the
share path of the script. but when the computer is started no script run. we're
running windows 2000 active directory domain, windows xp sp2 clients.
i've carried out some tests/facts which are as follows:
1> made a simple drive mapping script and put it in logon script. it does
work. it means gpo has applied on this test ou.
2> put admin password change script in the same shared folder and put it in
startup script. but it doesn't work.
3> working in a multiple dcs environment, and using the dc which lies in the
computers site on which testing is carried out.
Please let me know if you require further information in this regards. I do
want to implement the same in our domain which would save a lot of time and
will automate the activity.
Thanks in advance...
--
Regards
Anuj Attree
--
Regards
Anuj Attree | | | |
| listmail
Posts:454
| | 06/24/2007 7:49 AM |
| Cute. Exactly what I meant... lots of ways to tackle this
puppy that range from low to very high tech and can be tweaked based on how the
work is actually done. Tough problem to handle securely and successfully.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Boswell,
RichardSent: Sunday, June 24, 2007 5:05 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup script
local admin password reset
It's even easier than that. Just reset the file association
for *.vbs to Notepad andthe script will open up whenever the GPO applies
it. I used to do this when I was in Application Engineering to determine what
the logon scripts did (and try to determine why it took so long to
logon).
RPMEE (http://www.liebsoft.com/index.cfm/cms?id=270)
is expensive but in the end which costs more? The software or the damage
control?
Richard Boswell | Systems
Engineer | Windows Server Engineering | Visa | 12357-C Riata Trace Pkwy, Austin, TX
78727 | Work - (512) 506-4643 | Cell - (512) 750-4583
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
joeSent: Sunday, June 24, 2007 10:09 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup script
local admin password reset
> And by the way, they don't have the ability to
schedule tasks or install services. Also, users are not able to install any s/w
without IT approval.
Is
this a "for certain" or is this, we tried our best and we think we got it? I
expect the later as the former is pretty darn near impossible to achieve without
basically installing root kits that you control and they interrogate every
single system request. Windows machines, and many OSes honestly, aren't meant to
truly and completely protect against the person sitting right there in front of
the machine; especially once they have admin creds. They are like Al mentioned,
something that will stop the casual passer by but if someone is serious, they
will bypass it. Once someone has admin level access on a machine they can pretty
much dig into anything you do and it is very difficult if not impossible to stop
them.
On the
positive side, this means you have kept the password out of the casual users
(and programs)which likely will account for 99%+ of your environment. On
the negative side, you aren't keeping it away from the people who are intent on
getting it and those are the people you need to be afraid of in the first place.
Using
a logon script to change a password, you have several key vectors you have to
consider.
1.
Someone can read the password in the clear as it comes across the wire. This can
be done by installing software on the local machine or it can be done by putting
the computer on a hub and putting another you don't control on the hub and
having it watch the network traffic. The only way to protect against this is to
make sure there is never any traffic "in the clear" with the password(s)
involved.
2.
Someone can impersonate the computer with local system or network service
accounts and go to the GPO and read the password directly.The only way to
protect against this is to make sure that the password isn't stored "in the
clear" anywhere that the computer can read it.
3.
Someone could run software that knows how to use debugger rights and can pick
the logon script right out of the GPO process. Sort of a more technical way
ofdoing 1 and 2 BUT if they are here, they can also see the password as it
is decrypted or whatever to set it because you need a clear text password to set
the password.
4.
Someone can intercept the password change on the machine with a password change
notification package DLL. With almost all systems this is pretty much game over
if someone can do this and it only requires admin rights to do it and most
software monitoring packages that prevent users from running software DO NOT
even look at this type of attack. Password change notification filters are
trivial to write poorly and you only need a poorly written one to get the
password. Think about this every time someone releases an exploit thatis
an escalation exploit. Or if you let people run with creds that they can
escalate (like power users for example) or if you just let them run as admins.
5.
Someone can intercept the password change by hooking the password change API
calls directly, easier to do number 4 but still a vector to consider. Has same
capabilities of 4.
6.Someone can dump the password hash and attempt to
crack it. Oldie but goodie.
These
are just the ones I thought up off the top of my head quickly. If I really sat
down and put my noodle into it I could probably find some additional ways to
pull this off.
The
main thing to note is that these are 6 great reasons not to use a common
password across multiple machines. Once someone has the password, they own all
of the machines. Each machine should have a password specific to it. That way if
someone does compromise the system, they have the password only for that system.
This also means that you can't have the mechanism to generate the passwords so
it isn't visible through any of those mechanisms either or else someone has the
mechanism and that is likely going to be as good as having the passwords
themselves.
Now if
the person is simply into knowing the passwords on the local system they have
two additional vectors that I just thought of...
7.
Someone can use one of theseveral offline reset the admin account packages
to reset the password.
8.
Someone could use a password filter to reject the attempts to change that
password. This could also be handled by hooking the APIs.Again, this won't
require great code, just very simple code. I once wrote and sold a password
filter that was specifically for locking down the default admin account so
people couldn't SET the password, they had to know the old password and use
CHANGE to modify it. It simply was a case of looking at the RID, seeing it was
the well-known RID for admin and then rejecting all SET attempts.
Tools
that go out and force this change remotely are an option, but again, you will
note several of the items above will compromise this. Also this doesn't scale
all that well. Some form of agent is likely the best way of handling it and if
that agent can start prior to any compromise code (i.e. so it can look at the
password API function call addresses before they can be compromised) and
validate that no one has installed any password filters/change notification
packages you are almost there... Except for people who have debug rights and can
then watch for that agent to send the passwords into the password change API. Of
course at this point, the bar is pretty high because as we discussed previously,
not many people are into debugging apps. But again, that element you don't want
to have the password are probably the ones that do know how to debug. So again
it comes back to making sure you don't have the same password everywhere and
making sure the algorithm isn't available for the debugger to
see.
One
other thing to keep in mind if you go forward with logon scripts is that you
make sure you have some mechanism to feed back that a password has been changed.
Don't assume it has. Bad security precedent there.
In
summary, this is not in any shape or form a trivial problem to solve. If you
have someone who is determined to get your password and they have any ability to
learn Windows details they will figure out how to bypass pretty much anything
you can do. The main thing I try to remind everyone with security... You can
NEVER prove something secure, you can only prove it is insecure. Just because
you think it is secure simply means it is secure from you because you can't
think of a way around it... Someone else may and probably is better than you and
can get around it.This is the point that you have to do everything you can (and
makes sense) to mitigate the risks of a compromise. You mustunderstand
what the risks actually are so you can understand the level you should go to to
mitigate them.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anuj
AttreeSent: Saturday, June 23, 2007 10:05 PMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] startup script
local admin password reset
Hi Joe
Thanks for your concern...
I just want a way to do this task (like many others)automatically.
Scripting give me a hope. If there are security implications then i will find
and implement the same and only after that the solutionwould be in affect.
And by the way, they don't have the ability to schedule tasks or install
services. Also, users are not able to install any s/w without IT approval.
Right now i m not able to run this script and would request you all to
suggest a solutionwith securityconcerns.The solution/s could
be different but my objective is to automate this task.
On 6/24/07, joe
wrote:
Do the
users have the ability to schedule tasks or install services? If so, they can
easily get to the startup script.Can they run a network sniffer? If so,
they can easily get to the startup script.
Oh by the
way, if they have physical access to the workstations (and I expect they do)
and they have any real level of understanding they can do the things above
whether you think so or not.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@mail.activedir.org [mailto: ActiveDir-owner@mail.activedir.org] On Behalf Of Anuj
AttreeSent: Saturday, June 23, 2007 8:28 PM To: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] startup script local admin password reset
This would be a startup script and would run when computers logged into
domain. Some kind of security permissions can be assigned so that only
computer a/cs logging inwould be able to read and execute the same. I am
not much sure about this and would carry out further tests before
implementation.
If you'vea bettersolution, i would really appreciate if
youshare the same with me.
Regards,
Anuj Attree
On 6/24/07, Brian
Desmond > wrote:
You do realize that by
putting this script out there anyone and everyone in your domain can just go
look at the script and write the password down right?
Thanks,
Brian
Desmond
brian@briandesmond.com
c -
312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Anuj AttreeSent: Saturday, June 23, 2007 7:04
PMTo: activedir@mail.activedir.orgSubject:
[ActiveDir] startup script local admin password reset
Hi All
Need help....I do want to change local admin password of
all computers in an example.com domain. I've made a
script that does work when run in a virtual environment using 1 dc windows
server 2003 and 1 windows xp sp2 client. I followed following steps when
doing the same: 1> made a test ou in my example.com domain2>
made a gpo and configure startup script, provided share path of the script
and log file (the actions are logged in the same) 3> put 1 computer
in the test ou4> start the computer and it did workthe
same thing i am trying to implement in my company's domain. for testing i've
made a test ou and put 5 computers there. created a gpo and provided the
share path of the script. but when the computer is started no script run.
we're running windows 2000 active directory domain, windows xp sp2 clients.
i've carried out some tests/facts which are as follows:1> made a
simple drive mapping script and put it in logon script. it does work. it
means gpo has applied on this test ou.2> put admin password change
script in the same shared folder and put it in startup script. but it
doesn't work. 3> working in a multiple dcs environment, and using the
dc which lies in the computers site on which testing is carried
out.Please let me know if you require further
information in this regards. I do want to implement the same in our domain
which would save a lot of time and will automate the activity.
Thanks in advance...
-- RegardsAnuj Attree
--
RegardsAnuj Attree -- RegardsAnuj Attree | | | |
| Marty1_0
Posts:72
| | 06/24/2007 7:52 AM |
| I'm very interested in this... Actually if you're able to or encrupt the password properly or have a routine to retrieve a password from a safe location you should be set, right? I'm looking myself for such a way of working for certain scripts, but I haven't found it out yet. Let me know if somebody knows an interesting way of working with sufficient security.
Thanks
On 6/24/07, Matheesha Weerasinghe wrote:
Remote resetting with an app sounds very good. But the reason we use startup scripts is to ensure the passwords get reset to the values we want after the workstation is rebuilt and joined to the domain.
Other than adding the task of "resetting the password manually" to the process of rebuilding a workstation, I cant think of any other way to handle machine rebuilds from gold builds.
Any suggestions?
M@
On 24/06/07, Richard Kline > wrote:
We found that a traditional VBS startup script was too insecure.The new password was visible within a plain text or easily decrypted file.
I wrote a .net application which remotely attaches to workstations and changes the local administrator password. If you follow this route, I recommend that you store the change attempt results (success or reason for failure) into a database for control and management review.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anuj Attree
Sent: Saturday, June 23, 2007 8:04 PMTo: activedir@mail.activedir.org Subject:
[ActiveDir] startup script local admin password reset
Hi All
Need help....I do want to change local admin password of all computers in an example.com domain. I've made a script that does work when run in a virtual environment using 1 dc windows server 2003 and 1 windows xp sp2 client. I followed following steps when doing the same:
1> made a test ou in my example.com domain2> made a gpo and configure startup script, provided share path of the script and log file (the actions are logged in the same)
3> put 1 computer in the test ou4> start the computer and it did workthe same thing i am trying to implement in my company's domain. for testing i've made a test ou and put 5 computers there. created a gpo and provided the share path of the script. but when the computer is started no script run. we're running windows 2000 active directory domain, windows xp sp2 clients.
i've carried out some tests/facts which are as follows:1> made a simple drive mapping script and put it in logon script. it does work. it means gpo has applied on this test ou.2> put admin password change script in the same shared folder and put it in startup script. but it doesn't work.
3> working in a multiple dcs environment, and using the dc which lies in the computers site on which testing is carried out.Please let me know if you require further information in this regards. I do want to implement the same in our domain which would save a lot of time and will automate the activity.
Thanks in advance...-- RegardsAnuj Attree | | | |
| RichardKline
Posts:10
| | 06/24/2007 7:59 AM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@font-face {
font-family: Trebuchet MS;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
SPAN.EmailStyle18 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle19 {
FONT-WEIGHT: bold; COLOR: #002060; FONT-FAMILY: "Trebuchet MS","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
Man-oh-Man, Brian, you haven't hit even half of the
problems.
You're entirely right. Any solution must be designed
in respect to and with good knowledge of the specific target environment
(organizational and topological)
There are many potential pitfalls to
anautomatedor manual remote managemen solutiont. The concept
succeeds or fails based upon the total organizational commitment to strogly
centralized management. Things to consider:
Note: From this point on, the term local
authorities means includes local department and network admins as well
as the primary workstation user.
Security / Topology Concerns
Local authories should permit remote management access from a agreed to
source through local area or personal workstation firewalls
NAT. The total network solution should be centrally
designed. Local authorities should not be allowed to independently
design and implement their own networks.
Local Administrator Authority. Each workstation should be subject
to the authority of central Domain administrator. That central authority
must be able to connect remotely to a machine with sufficient authority to
effect the necessary changes. Which means that the individual local
authorities (user or department) must subscribe to either a common
username/password or centrally deriveable username/password.
That sounds obvious but I've seen situations where local authorites
have deliberately removed all commonly agreed to authorities (including Domain
Admins as local administrators) citing "Security"
concerns.
Local authorities should not block remote management access by
disabling OS"stuff" such as DCOM
Organizational Concerns
Maintain centralized workstation lists. That means keeping AD
clean! Get rid of the computer accounts after the workstation has
been reformatted or retired.
Maintained IP lists. Workstations should use DNS servers with
BIND enabled which share registered workstation information and practice
record scavenging.
Keep good results records. Not just pass/fail. But dates,
times, best guesses as to the reason for each failure, references to the
username/password combinations tried to gain
access.
Multiply each of these concerns by the nuber of discreet
areas represent on the WAN(s) towhich Brian refers and add WAN inherent
concens (latency, etc).
Of course, we're talking about domain'd Microsoft OS
workstations and not workgroups, Apple and UNIX workstations.
Through it is possible to keep workgroup workstations in line, the effort
probably wouldn't achieve a high success rate.
Another related question deals with the number and
maintainability of local adminstrator accounts.
Fun stuff, eh? Routine local administration
password changes is a serious issue and. IMHO, often given insufficient
attention.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian
DesmondSent: Sunday, June 24, 2007 2:24 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup script
local admin password reset
I’d
be curious to know how reliable these tools are in a distributed organization
where slow or high latency wan links aren’t out of the ordinary and it may take
a couple tries to make things work without timeouts/too many lost
packets.
Thanks,
Brian
Desmond
brian@briandesmond.com
c
- 312.731.3132
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Katrin WilhelmSent: Sunday, June 24, 2007 12:52
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
startup script local admin password reset
Hi,
I
usually use a little tool of my desktop which changes the password remotely on
all machines (run as domain admin) – it gives you an result screen letting you
know which computer were turned off etc. Unfortunately I forgot the name of the
tool … (I am on maternity leave and haven’t used that tool for a couple of
month). I think if you search the net for it you will find a few of them… Time
it takes: my input may be 2 minutes and runs depending on how many computers are
in your network)
Hope
this helps,
Kat
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Richard KlineSent: Sunday, 24 June 2007 12:32
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
startup script local admin password reset
We found
that a traditional VBS startup script was too insecure.The new
password was visible within a plain text or easily decrypted
file.
I wrote
a .net application which remotely attaches to workstations and changes the local
administrator password. If you follow this route, I recommend that you
store the change attempt results (success or reason for failure) into a database
for control and management review.
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Anuj AttreeSent: Saturday, June 23, 2007 8:04
PMTo: activedir@mail.activedir.orgSubject: [ActiveDir]
startup script local admin password reset
Hi All
Need help....I do want to change local admin
password of all computers in an example.com
domain. I've made a script that does work when run in a virtual environment
using 1 dc windows server 2003 and 1 windows xp sp2 client. I followed following
steps when doing the same: 1> made a test ou in my example.com domain2> made a gpo and
configure startup script, provided share path of the script and log file (the
actions are logged in the same) 3> put 1 computer in the test ou4>
start the computer and it did workthe same thing i am trying to
implement in my company's domain. for testing i've made a test ou and put 5
computers there. created a gpo and provided the share path of the script. but
when the computer is started no script run. we're running windows 2000 active
directory domain, windows xp sp2 clients. i've carried out some tests/facts
which are as follows:1> made a simple drive mapping script and put it in
logon script. it does work. it means gpo has applied on this test ou.2>
put admin password change script in the same shared folder and put it in startup
script. but it doesn't work. 3> working in a multiple dcs environment,
and using the dc which lies in the computers site on which testing is carried
out.Please let me know if you require further
information in this regards. I do want to implement the same in our domain which
would save a lot of time and will automate the activity. Thanks in
advance...
-- RegardsAnuj
Attree | | | |
| matheesha
Posts:14
| | 06/24/2007 8:24 AM |
| I am not a strong scripter and neither am I a coder. I was wondering of doing something like this.
Each computer stores its local admin password in AD in an attribute. Could create one or use an attribute deemed suitable for this.
The attribute must be ACLd to ensure only the computer account or domain computers group can read the attribute and a chosen admin group can read and write to the attribute.
Do a batch update of the attribute across the estate. You can have different computers with different values for local admin password. (perhaps based on geographical location, dept?)
The script or tool that runs on each computer is defined in GPO startup scripts. It does a query for the attribute (objectcategory=computer)(xxx-localadmin). The query is done using kerberos encryption (ldap_opt_encrypt). Therefore the network trace shouldnt show something legible.
Use the value as the parameter to reset local admin
Just need to script/code it now ;-)
M@
On 24/06/07, Bart Van den Wyngaert wrote:
I'm very interested in this... Actually if you're able to or encrupt the password properly or have a routine to retrieve a password from a safe location you should be set, right? I'm looking myself for such a way of working for certain scripts, but I haven't found it out yet. Let me know if somebody knows an interesting way of working with sufficient security.
Thanks
On 6/24/07, Matheesha Weerasinghe > wrote:
Remote resetting with an app sounds very good. But the reason we use startup scripts is to ensure the passwords get reset to the values we want after the workstation is rebuilt and joined to the domain.
Other than adding the task of "resetting the password manually" to the process of rebuilding a workstation, I cant think of any other way to handle machine rebuilds from gold builds.
Any suggestions?
M@
On 24/06/07, Richard Kline > wrote:
We found that a traditional VBS startup script was too insecure.The new password was visible within a plain text or easily decrypted file.
I wrote a .net application which remotely attaches to workstations and changes the local administrator password. If you follow this route, I recommend that you store the change attempt results (success or reason for failure) into a database for control and management review.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anuj Attree
Sent: Saturday, June 23, 2007 8:04 PMTo: activedir@mail.activedir.org Subject:
[ActiveDir] startup script local admin password reset
Hi All
Need help....I do want to change local admin password of all computers in an example.com domain. I've made a script that does work when run in a virtual environment using 1 dc windows server 2003 and 1 windows xp sp2 client. I followed following steps when doing the same:
1> made a test ou in my example.com domain2> made a gpo and configure startup script, provided share path of the script and log file (the actions are logged in the same)
3> put 1 computer in the test ou4> start the computer and it did workthe same thing i am trying to implement in my company's domain. for testing i've made a test ou and put 5 computers there. created a gpo and provided the share path of the script. but when the computer is started no script run. we're running windows 2000 active directory domain, windows xp sp2 clients.
i've carried out some tests/facts which are as follows:1> made a simple drive mapping script and put it in logon script. it does work. it means gpo has applied on this test ou.2> put admin password change script in the same shared folder and put it in startup script. but it doesn't work.
3> working in a multiple dcs environment, and using the dc which lies in the computers site on which testing is carried out.Please let me know if you require further information in this regards. I do want to implement the same in our domain which would save a lot of time and will automate the activity.
Thanks in advance...-- RegardsAnuj Attree | | | |
|
|