| Author | Messages | |
shoktai
Posts:29
 | | 07/16/2008 7:55 PM |
| HI,
I would like to reset the local admin password on all our servers (hopefully
for me the password will be the same for all servers).
I found that smart script who will do it or each OU i specify.
My concern is that we have OU nestled into several other OUs which makes the
script less powerful as sub-OUs wont be updated with the new password. Is
there's a way to make this script behaves like " update the local admin
account in that OU and its sub-OUs"?
Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
objOU.Filter = Array("Computer")
For Each objItem in objOU
strComputer = objItem.CN
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
objUser.SetPassword("i5A2sj*!")
Next
| | | |
| darren
Posts:154
| | 07/16/2008 7:55 PM |
| Thomas-
Do you have the ability to roll out the new Group Policy Preferences extension to all of your servers? If so, then this new feature has the ability to use GP to reset administrator passwords (or any local account password for that matter) in a reasonably secure way (i.e. the password is encrypted or at least hashed in SYSVOL). And, it solves your nesting problem since GPOs are automatically inherited.
Darren
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thomas Vito
Sent: Monday, June 09, 2008 7:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [Slightly OT] Local Admin password massive reset
HI,
I would like to reset the local admin password on all our servers (hopefully for me the password will be the same for all servers).
I found that smart script who will do it or each OU i specify.
My concern is that we have OU nestled into several other OUs which makes the script less powerful as sub-OUs wont be updated with the new password. Is there's a way to make this script behaves like " update the local admin account in that OU and its sub-OUs"?
Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
objOU.Filter = Array("Computer")
For Each objItem in objOU
strComputer = objItem.CN
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
objUser.SetPassword("i5A2sj*!")
Next
| | | |
| kennedyjim
Posts:28
| | 07/16/2008 7:57 PM |
| Answering your question a different way…..drop the below into a machine startup bat file, apply it to the top OU as a startup script and force the inheritance.
echo off
net.exe user administrator <newpassword>
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thomas Vito
Sent: Monday, June 09, 2008 10:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [Slightly OT] Local Admin password massive reset
HI,
I would like to reset the local admin password on all our servers (hopefully for me the password will be the same for all servers).
I found that smart script who will do it or each OU i specify.
My concern is that we have OU nestled into several other OUs which makes the script less powerful as sub-OUs wont be updated with the new password. Is there's a way to make this script behaves like " update the local admin account in that OU and its sub-OUs"?
Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
objOU.Filter = Array("Computer")
For Each objItem in objOU
strComputer = objItem.CN
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
objUser.SetPassword("i5A2sj*!")
Next
| | | |
| andrewcace
Posts:1
| | 07/16/2008 7:57 PM |
| You can setup your code to call itself if it hits an OU. Something similar to the following:
strOU = “OU=Finance,DC=fabrikam,DC=com”
Function funcChangePwd()
Set objOU = GetObject("LDAP://" & strOU)
For Each objItem in objOU
If objItem.objectClass = “computer” Then
strComputer = objItem.CN
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
objUser.SetPassword("i5A2sj*!")
End If
If objItem.objectClass = “organizationalUnit” Then
strOU = objItem.distinguishedName
funcChangePwd()
End If
Next
End Function
I just hacked this out of your code below, so there are no guarantees. You might also have to connect to the object in order to get the objectClass and distringuishedName values.
-Andrew
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thomas Vito
Sent: Monday, June 09, 2008 9:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [Slightly OT] Local Admin password massive reset
HI,
I would like to reset the local admin password on all our servers (hopefully for me the password will be the same for all servers).
I found that smart script who will do it or each OU i specify.
My concern is that we have OU nestled into several other OUs which makes the script less powerful as sub-OUs wont be updated with the new password. Is there's a way to make this script behaves like " update the local admin account in that OU and its sub-OUs"?
Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
objOU.Filter = Array("Computer")
For Each objItem in objOU
strComputer = objItem.CN
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
objUser.SetPassword("i5A2sj*!")
Next
Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse@rackspace.com, and delete the original message.
Your cooperation is appreciated.
| | | |
| shoktai
Posts:29
| | 07/16/2008 8:03 PM |
| Unfortunately i cannot use Group Policy Preferences extension.
>From what i understand this needs a Windows Vista client or a Win2008 server
which i dont have yet available in my corporate network.
I appreciate your feedback.
Cheers!
2008/6/9 Darren Mar-Elia <darren@sdmsoftware.com>:
> Thomas-
>
> Do you have the ability to roll out the new Group Policy Preferences
> extension to all of your servers? If so, then this new feature has the
> ability to use GP to reset administrator passwords (or any local account
> password for that matter) in a reasonably secure way (i.e. the password is
> encrypted or at least hashed in SYSVOL). And, it solves your nesting problem
> since GPOs are automatically inherited.
>
>
>
> Darren
>
>
>
>
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Thomas Vito
> *Sent:* Monday, June 09, 2008 7:52 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] [Slightly OT] Local Admin password massive reset
>
>
>
> HI,
>
> I would like to reset the local admin password on all our servers
> (hopefully for me the password will be the same for all servers).
>
> I found that smart script who will do it or each OU i specify.
> My concern is that we have OU nestled into several other OUs which makes
> the script less powerful as sub-OUs wont be updated with the new password.
> Is there's a way to make this script behaves like " update the local admin
> account in that OU and its sub-OUs"?
>
>
> Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
> objOU.Filter = Array("Computer")
>
> For Each objItem in objOU
> strComputer = objItem.CN
> Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
> objUser.SetPassword("i5A2sj*!")
> Next
>
>
| | | |
| RichardKline
Posts:10
| | 07/16/2008 8:05 PM |
| Not quite clear to me….
The overview is here: Group Policy Preferences Overview <http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&DisplayLang=en> with additional information at: Information about new Group Policy preferences in Windows Server 2008 <http://support.microsoft.com/kb/943729>
You can use the VISTA SP1 RSAT tools to create the preference items. 2003 and XP can process the preferences as long as the proper extensions are installed on each individual client machine.
Windows 2008 does not actually need to be part of the environment?
Thank you.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley
Sent: Tuesday, June 10, 2008 2:03 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [Slightly OT] Local Admin password massive reset
. <javascript:toggleQuestion('title22',%20'question22',%20'answer22')>
Do I need to upgrade my domain to Windows Server 2008 to have this functionality? <javascript:toggleQuestion('title22',%20'question22',%20'answer22')>
A.
No. Group Policy preference items work in a Windows Server 2003 environment by being managed via either Windows Server 2008 or the GPMC update for Windows Vista with Service Pack 1.
More information:
•
RSAT for Windows Vista SP1 32-Bit Edition <http://go.microsoft.com/fwlink/?LinkId=115118>
•
RSAT for Windows Vista SP1 64-Bit Edition <http://go.microsoft.com/fwlink/?LinkId=115117>
Q. <javascript:toggleQuestion('title23',%20'question23',%20'answer23')>
Which versions of Windows can be managed via Group Policy preference items? <javascript:toggleQuestion('title23',%20'question23',%20'answer23')>
A.
Windows Server 2008, Windows Vista, Windows Server 2003 with Service Pack 1, and Windows XP with Service Pack 2 can all be managed via Group Policy preference items.
Okay I stand corrected .. you need 2k8 or Vista to control, but it can be deployed on anything.
If that isn't a good reason for a Virtual Vista or 2k8, I don't know what is. :-)
Thomas Vito wrote:
Unfortunately i cannot use Group Policy Preferences extension.
>From what i understand this needs a Windows Vista client or a Win2008 server which i dont have yet available in my corporate network.
I appreciate your feedback.
Cheers!
2008/6/9 Darren Mar-Elia <darren@sdmsoftware.com>:
Thomas-
Do you have the ability to roll out the new Group Policy Preferences extension to all of your servers? If so, then this new feature has the ability to use GP to reset administrator passwords (or any local account password for that matter) in a reasonably secure way (i.e. the password is encrypted or at least hashed in SYSVOL). And, it solves your nesting problem since GPOs are automatically inherited.
Darren
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thomas Vito
Sent: Monday, June 09, 2008 7:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [Slightly OT] Local Admin password massive reset
HI,
I would like to reset the local admin password on all our servers (hopefully for me the password will be the same for all servers).
I found that smart script who will do it or each OU i specify.
My concern is that we have OU nestled into several other OUs which makes the script less powerful as sub-OUs wont be updated with the new password. Is there's a way to make this script behaves like " update the local admin account in that OU and its sub-OUs"?
Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com" <LDAP://OU=Finance,DC=fabrikam,DC=com> )
objOU.Filter = Array("Computer")
For Each objItem in objOU
strComputer = objItem.CN
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
objUser.SetPassword("i5A2sj*!")
Next
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
| | | |
| irishbug
Posts:23
| | 07/16/2008 8:07 PM |
| There is one basic issue with setting all machines with the same admin
password. It is completely insecure. If one machine is compromised, they all
are. How long would it take an admin to realize that a machine was
penetrated? There should be a way for each machine to have a different
password and easily maintain them.
On Tue, Jun 10, 2008 at 9:15 AM, Brandon Shell <tshell@gmail.com> wrote:
> While I am all aboard the GPO train, if that doesnt work... this is VERY
> simple to script (if his assumptions that account is the same on all
> machines.)
>
>
> On Tue, Jun 10, 2008 at 5:50 AM, Richard Kline <richard@rkline.net> wrote:
>
>> Not quite clear to me….
>>
>> The overview is here: Group Policy Preferences Overview<http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&DisplayLang=en>with additional information at: Information
>> about new Group Policy preferences in Windows Server 2008<http://support.microsoft.com/kb/943729>
>>
>> You can use the VISTA SP1 RSAT tools to create the preference items. 2003
>> and XP can process the preferences as long as the proper extensions are
>> installed on each individual client machine.
>>
>> Windows 2008 does not actually need to be part of the environment?
>>
>>
>>
>> Thank you.
>>
>>
>>
>> *From:* ActiveDir-owner@mail.activedir.org [mailto:
>> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Susan Bradley
>> *Sent:* Tuesday, June 10, 2008 2:03 AM
>> *To:* ActiveDir@mail.activedir.org
>> *Subject:* Re: [ActiveDir] [Slightly OT] Local Admin password massive
>> reset
>>
>>
>>
>> .
>>
>> Do I need to upgrade my domain to Windows Server 2008 to have this
>> functionality?
>>
>> A.
>>
>> No. Group Policy preference items work in a Windows Server 2003
>> environment by being managed via either Windows Server 2008 or the GPMC
>> update for Windows Vista with Service Pack 1.
>>
>> More information:
>>
>> •
>>
>> RSAT for Windows Vista SP1 32-Bit Edition<http://go.microsoft.com/fwlink/?LinkId=115118>
>>
>> •
>>
>> RSAT for Windows Vista SP1 64-Bit Edition<http://go.microsoft.com/fwlink/?LinkId=115117>
>>
>> Q.
>>
>> Which versions of Windows can be managed via Group Policy preference
>> items?
>>
>> A.
>>
>> Windows Server 2008, Windows Vista, Windows Server 2003 with Service Pack
>> 1, and Windows XP with Service Pack 2 can all be managed via Group Policy
>> preference items.
>>
>>
>> Okay I stand corrected .. you need 2k8 or Vista to control, but it can be
>> deployed on anything.
>>
>> If that isn't a good reason for a Virtual Vista or 2k8, I don't know what
>> is. :-)
>>
>> Thomas Vito wrote:
>>
>> Unfortunately i cannot use Group Policy Preferences extension.
>> >From what i understand this needs a Windows Vista client or a Win2008
>> server which i dont have yet available in my corporate network.
>>
>> I appreciate your feedback.
>>
>> Cheers!
>>
>> 2008/6/9 Darren Mar-Elia <darren@sdmsoftware.com>:
>>
>> Thomas-
>>
>> Do you have the ability to roll out the new Group Policy Preferences
>> extension to all of your servers? If so, then this new feature has the
>> ability to use GP to reset administrator passwords (or any local account
>> password for that matter) in a reasonably secure way (i.e. the password is
>> encrypted or at least hashed in SYSVOL). And, it solves your nesting problem
>> since GPOs are automatically inherited.
>>
>>
>>
>> Darren
>>
>>
>>
>>
>>
>>
>>
>> *From:* ActiveDir-owner@mail.activedir.org [mailto:
>> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Thomas Vito
>> *Sent:* Monday, June 09, 2008 7:52 AM
>> *To:* ActiveDir@mail.activedir.org
>> *Subject:* [ActiveDir] [Slightly OT] Local Admin password massive reset
>>
>>
>>
>> HI,
>>
>> I would like to reset the local admin password on all our servers
>> (hopefully for me the password will be the same for all servers).
>>
>> I found that smart script who will do it or each OU i specify.
>> My concern is that we have OU nestled into several other OUs which makes
>> the script less powerful as sub-OUs wont be updated with the new password.
>> Is there's a way to make this script behaves like " update the local admin
>> account in that OU and its sub-OUs"?
>>
>>
>> Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
>> objOU.Filter = Array("Computer")
>>
>> For Each objItem in objOU
>> strComputer = objItem.CN
>> Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
>> objUser.SetPassword("i5A2sj*!")
>> Next
>>
>>
>>
>> List info : http://www.activedir.org/List.aspx List FAQ :
>> http://www.activedir.org/ListFAQ.aspx List archive:
>> http://www.activedir.org/ma/default.aspx
>>
>
>
| | | |
| darren
Posts:154
| | 07/16/2008 8:07 PM |
| Just to be clear, Group Policy Preferences does not require any 2008 in the
environment. I only requires a single Vista, SP1 machine to be able to get
to and manage the settings in GP Editor. Beyond that, machines running XP,
2003 or Vista can all process these settings.
As for the issue of setting all machines the same, that is not required.
This is Group Policy, so you could have several different policies that each
have their own password targeted at a different group of machines to
mitigate the problem. Since this is Group Policy Preferences, you can have
multiple administrator passwords within a single GPO, and filter each one
based on very fined-grained criteria. So, I think there are ways to mitigate
this problem unless your goal is to have a different password on every
machine. In that case, this approach won't work. The main advantage of this
approach vs. most of the scripted solutions out there is that the password
is not exposed in clear text anywhere.
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve K
Sent: Tuesday, June 10, 2008 6:29 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [Slightly OT] Local Admin password massive reset
There is one basic issue with setting all machines with the same admin
password. It is completely insecure. If one machine is compromised, they all
are. How long would it take an admin to realize that a machine was
penetrated? There should be a way for each machine to have a different
password and easily maintain them.
On Tue, Jun 10, 2008 at 9:15 AM, Brandon Shell <tshell@gmail.com> wrote:
While I am all aboard the GPO train, if that doesnt work... this is VERY
simple to script (if his assumptions that account is the same on all
machines.)
On Tue, Jun 10, 2008 at 5:50 AM, Richard Kline <richard@rkline.net> wrote:
Not quite clear to me..
The overview is here: Group Policy Preferences Overview
<http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610
-9d6e-f6e0fb7a0790&DisplayLang=en> with additional information at:
Information <http://support.microsoft.com/kb/943729> about new Group Policy
preferences in Windows Server 2008
You can use the VISTA SP1 RSAT tools to create the preference items. 2003
and XP can process the preferences as long as the proper extensions are
installed on each individual client machine.
Windows 2008 does not actually need to be part of the environment?
Thank you.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley
Sent: Tuesday, June 10, 2008 2:03 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [Slightly OT] Local Admin password massive reset
.
Do I need to upgrade my domain to Windows Server 2008 to have this
functionality?
A.
No. Group Policy preference items work in a Windows Server 2003 environment
by being managed via either Windows Server 2008 or the GPMC update for
Windows Vista with Service Pack 1.
More information:
.
RSAT <http://go.microsoft.com/fwlink/?LinkId=115118> for Windows Vista SP1
32-Bit Edition
.
RSAT <http://go.microsoft.com/fwlink/?LinkId=115117> for Windows Vista SP1
64-Bit Edition
Q.
Which versions of Windows can be managed via Group Policy preference items?
A.
Windows Server 2008, Windows Vista, Windows Server 2003 with Service Pack 1,
and Windows XP with Service Pack 2 can all be managed via Group Policy
preference items.
Okay I stand corrected .. you need 2k8 or Vista to control, but it can be
deployed on anything.
If that isn't a good reason for a Virtual Vista or 2k8, I don't know what
is. :-)
Thomas Vito wrote:
Unfortunately i cannot use Group Policy Preferences extension.
>From what i understand this needs a Windows Vista client or a Win2008
server which i dont have yet available in my corporate network.
I appreciate your feedback.
Cheers!
2008/6/9 Darren Mar-Elia <darren@sdmsoftware.com>:
Thomas-
Do you have the ability to roll out the new Group Policy Preferences
extension to all of your servers? If so, then this new feature has the
ability to use GP to reset administrator passwords (or any local account
password for that matter) in a reasonably secure way (i.e. the password is
encrypted or at least hashed in SYSVOL). And, it solves your nesting problem
since GPOs are automatically inherited.
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thomas Vito
Sent: Monday, June 09, 2008 7:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [Slightly OT] Local Admin password massive reset
HI,
I would like to reset the local admin password on all our servers (hopefully
for me the password will be the same for all servers).
I found that smart script who will do it or each OU i specify.
My concern is that we have OU nestled into several other OUs which makes the
script less powerful as sub-OUs wont be updated with the new password. Is
there's a way to make this script behaves like " update the local admin
account in that OU and its sub-OUs"?
Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
objOU.Filter = Array("Computer")
For Each objItem in objOU
strComputer = objItem.CN
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
objUser.SetPassword("i5A2sj*!")
Next
List info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.activedir.org/ma/default.aspx
| | | |
| colemancraig1
Posts:40
| | 07/16/2008 8:07 PM |
| Using Passgen you only have to memorize one passphrase, but each machine has a different complex password.
http://msinfluentials.com/files/folders/jesper/entry6532.aspx
It is completely insecure. If one machine is compromised, they all are.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve K
Sent: Tuesday, June 10, 2008 9:29 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [Slightly OT] Local Admin password massive reset
There is one basic issue with setting all machines with the same admin password. It is completely insecure. If one machine is compromised, they all are. How long would it take an admin to realize that a machine was penetrated? There should be a way for each machine to have a different password and easily maintain them.
On Tue, Jun 10, 2008 at 9:15 AM, Brandon Shell <tshell@gmail.com<mailto:tshell@gmail.com>> wrote:
While I am all aboard the GPO train, if that doesnt work... this is VERY simple to script (if his assumptions that account is the same on all machines.)
On Tue, Jun 10, 2008 at 5:50 AM, Richard Kline <richard@rkline.net<mailto:richard@rkline.net>> wrote:
Not quite clear to me....
The overview is here: Group Policy Preferences Overview<http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&DisplayLang=en> with additional information at: Information about new Group Policy preferences in Windows Server 2008<http://support.microsoft.com/kb/943729>
You can use the VISTA SP1 RSAT tools to create the preference items. 2003 and XP can process the preferences as long as the proper extensions are installed on each individual client machine.
Windows 2008 does not actually need to be part of the environment?
Thank you.
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Susan Bradley
Sent: Tuesday, June 10, 2008 2:03 AM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: Re: [ActiveDir] [Slightly OT] Local Admin password massive reset
.
Do I need to upgrade my domain to Windows Server 2008 to have this functionality?
A.
No. Group Policy preference items work in a Windows Server 2003 environment by being managed via either Windows Server 2008 or the GPMC update for Windows Vista with Service Pack 1.
More information:
*
RSAT for Windows Vista SP1 32-Bit Edition<http://go.microsoft.com/fwlink/?LinkId=115118>
*
RSAT for Windows Vista SP1 64-Bit Edition<http://go.microsoft.com/fwlink/?LinkId=115117>
Q.
Which versions of Windows can be managed via Group Policy preference items?
A.
Windows Server 2008, Windows Vista, Windows Server 2003 with Service Pack 1, and Windows XP with Service Pack 2 can all be managed via Group Policy preference items.
Okay I stand corrected .. you need 2k8 or Vista to control, but it can be deployed on anything.
If that isn't a good reason for a Virtual Vista or 2k8, I don't know what is. :-)
Thomas Vito wrote:
Unfortunately i cannot use Group Policy Preferences extension.
>From what i understand this needs a Windows Vista client or a Win2008 server which i dont have yet available in my corporate network.
I appreciate your feedback.
Cheers!
2008/6/9 Darren Mar-Elia <darren@sdmsoftware.com<mailto:darren@sdmsoftware.com>>:
Thomas-
Do you have the ability to roll out the new Group Policy Preferences extension to all of your servers? If so, then this new feature has the ability to use GP to reset administrator passwords (or any local account password for that matter) in a reasonably secure way (i.e. the password is encrypted or at least hashed in SYSVOL). And, it solves your nesting problem since GPOs are automatically inherited.
Darren
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Thomas Vito
Sent: Monday, June 09, 2008 7:52 AM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] [Slightly OT] Local Admin password massive reset
HI,
I would like to reset the local admin password on all our servers (hopefully for me the password will be the same for all servers).
I found that smart script who will do it or each OU i specify.
My concern is that we have OU nestled into several other OUs which makes the script less powerful as sub-OUs wont be updated with the new password. Is there's a way to make this script behaves like " update the local admin account in that OU and its sub-OUs"?
Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
objOU.Filter = Array("Computer")
For Each objItem in objOU
strComputer = objItem.CN
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
objUser.SetPassword("i5A2sj*!")
Next
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
| | | |
| shoktai
Posts:29
| | 07/16/2008 8:09 PM |
| | Still i cannot run Vista yet i will wait but thanks, that's food for
thoughts..
Have a great day.
2008/6/10 Darren Mar-Elia <darren@sdmsoftware.com>:
> Just to be clear, Group Policy Preferences does not require any 2008 in
> the environment. I only requires a single Vista, SP1 machine to be able to
> get to and manage the settings in GP Editor. Beyond that, machines running
> XP, 2003 or Vista can all *process* these settings.
>
>
>
> As for the issue of setting all machines the same, that is not required.
> This is Group Policy, so you could have several different policies that each
> have their own password targeted at a different group of machines to
> mitigate the problem. Since this is Group Policy Preferences, you can have
> multiple administrator passwords within a single GPO, and filter each one
> based on very fined-grained criteria. So, I think there are ways to mitigate
> this problem unless your goal is to have a different password on every
> machine. In that case, this approach won't work. The main advantage of this
> approach vs. most of the scripted solutions out there is that the password
> is not exposed in clear text anywhere.
>
>
>
> Darren
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Steve K
> *Sent:* Tuesday, June 10, 2008 6:29 AM
>
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] [Slightly OT] Local Admin password massive
> reset
>
>
>
> There is one basic issue with setting all machines with the same admin
> password. It is completely insecure. If one machine is compromised, they all
> are. How long would it take an admin to realize that a machine was
> penetrated? There should be a way for each machine to have a different
> password and easily maintain them.
>
> On Tue, Jun 10, 2008 at 9:15 AM, Brandon Shell <tshell@gmail.com> wrote:
>
> While I am all aboard the GPO train, if that doesnt work... this is VERY
> simple to script (if his assumptions that account is the same on all
> machines.)
>
>
>
> On Tue, Jun 10, 2008 at 5:50 AM, Richard Kline <richard@rkline.net> wrote:
>
> Not quite clear to me….
>
> The overview is here: Group Policy Preferences Overview<http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&DisplayLang=en>with additional information at: Information
> about new Group Policy preferences in Windows Server 2008<http://support.microsoft.com/kb/943729>
>
> You can use the VISTA SP1 RSAT tools to create the preference items. 2003
> and XP can process the preferences as long as the proper extensions are
> installed on each individual client machine.
>
> Windows 2008 does not actually need to be part of the environment?
>
>
>
> Thank you.
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Susan Bradley
> *Sent:* Tuesday, June 10, 2008 2:03 AM
>
>
> *To:* ActiveDir@mail.activedir.org
>
> *Subject:* Re: [ActiveDir] [Slightly OT] Local Admin password massive
> reset
>
>
>
> .
>
> Do I need to upgrade my domain to Windows Server 2008 to have this
> functionality?
>
> A.
>
> No. Group Policy preference items work in a Windows Server 2003 environment
> by being managed via either Windows Server 2008 or the GPMC update for
> Windows Vista with Service Pack 1.
>
> More information:
>
> •
>
> RSAT for Windows Vista SP1 32-Bit Edition<http://go.microsoft.com/fwlink/?LinkId=115118>
>
> •
>
> RSAT for Windows Vista SP1 64-Bit Edition<http://go.microsoft.com/fwlink/?LinkId=115117>
>
> Q.
>
> Which versions of Windows can be managed via Group Policy preference items?
>
> A.
>
> Windows Server 2008, Windows Vista, Windows Server 2003 with Service Pack
> 1, and Windows XP with Service Pack 2 can all be managed via Group Policy
> preference items.
>
>
> Okay I stand corrected .. you need 2k8 or Vista to control, but it can be
> deployed on anything.
>
> If that isn't a good reason for a Virtual Vista or 2k8, I don't know what
> is. :-)
>
> Thomas Vito wrote:
>
> Unfortunately i cannot use Group Policy Preferences extension.
> >From what i understand this needs a Windows Vista client or a Win2008
> server which i dont have yet available in my corporate network.
>
> I appreciate your feedback.
>
> Cheers!
>
> 2008/6/9 Darren Mar-Elia <darren@sdmsoftware.com>:
>
> Thomas-
>
> Do you have the ability to roll out the new Group Policy Preferences
> extension to all of your servers? If so, then this new feature has the
> ability to use GP to reset administrator passwords (or any local account
> password for that matter) in a reasonably secure way (i.e. the password is
> encrypted or at least hashed in SYSVOL). And, it solves your nesting problem
> since GPOs are automatically inherited.
>
>
>
> Darren
>
>
>
>
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Thomas Vito
> *Sent:* Monday, June 09, 2008 7:52 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] [Slightly OT] Local Admin password massive reset
>
>
>
> HI,
>
> I would like to reset the local admin password on all our servers
> (hopefully for me the password will be the same for all servers).
>
> I found that smart script who will do it or each OU i specify.
> My concern is that we have OU nestled into several other OUs which makes
> the script less powerful as sub-OUs wont be updated with the new password.
> Is there's a way to make this script behaves like " update the local admin
> account in that OU and its sub-OUs"?
>
>
> Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
> objOU.Filter = Array("Computer")
>
> For Each objItem in objOU
> strComputer = objItem.CN
> Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
> objUser.SetPassword("i5A2sj*!")
> Next
>
>
>
> List info : http://www.activedir.org/List.aspx List FAQ :
> http://www.activedir.org/ListFAQ.aspx List archive:
> http://www.activedir.org/ma/default.aspx
>
>
>
>
>
| | | |
| shoktai
Posts:29
| | 07/16/2008 8:24 PM |
| | Friends,
I finally decided to ran the vbs script and this the output i get:
C:\Documents and Settings\atvito\Desktop>cscript pass.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
C:\Documents and Settings\atcapacci\Desktop\pass.vbs(6, 5) (null): The
network p
ath was not found.
The script is:
Set objOU = GetObject("LDAP://OU=Servers, OU=Amsterdam, DC=eu, DC=corp,
DC=com")
objOU.Filter = Array("Computer")
For Each objItem in objOU
strComputer = objItem.CN
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
objUser.SetPassword("!Nctr%l")
Next
I have tried to login with the admin password in the script and it won't
work. The local admin accounts were disabled via GPO i have temporarily
enabled them to perform the script.
Any ideas what goes wrong?
Thank you.
2008/6/10 Craig, Coleman <Coleman.Craig@lendingtree.com>:
> Using Passgen you only have to memorize one passphrase, but each machine
> has a different complex password.
>
>
>
> http://msinfluentials.com/files/folders/jesper/entry6532.aspx
>
>
>
> *It is completely insecure. If one machine is compromised, they all are.**
> *
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Steve K
> *Sent:* Tuesday, June 10, 2008 9:29 AM
>
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] [Slightly OT] Local Admin password massive
> reset
>
>
>
> There is one basic issue with setting all machines with the same admin
> password. It is completely insecure. If one machine is compromised, they all
> are. How long would it take an admin to realize that a machine was
> penetrated? There should be a way for each machine to have a different
> password and easily maintain them.
>
> On Tue, Jun 10, 2008 at 9:15 AM, Brandon Shell <tshell@gmail.com> wrote:
>
> While I am all aboard the GPO train, if that doesnt work... this is VERY
> simple to script (if his assumptions that account is the same on all
> machines.)
>
>
>
> On Tue, Jun 10, 2008 at 5:50 AM, Richard Kline <richard@rkline.net> wrote:
>
> Not quite clear to me….
>
> The overview is here: Group Policy Preferences Overview<http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&DisplayLang=en>with additional information at: Information
> about new Group Policy preferences in Windows Server 2008<http://support.microsoft.com/kb/943729>
>
> You can use the VISTA SP1 RSAT tools to create the preference items. 2003
> and XP can process the preferences as long as the proper extensions are
> installed on each individual client machine.
>
> Windows 2008 does not actually need to be part of the environment?
>
>
>
> Thank you.
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Susan Bradley
> *Sent:* Tuesday, June 10, 2008 2:03 AM
>
>
> *To:* ActiveDir@mail.activedir.org
>
> *Subject:* Re: [ActiveDir] [Slightly OT] Local Admin password massive
> reset
>
>
>
> .
>
> Do I need to upgrade my domain to Windows Server 2008 to have this
> functionality?
>
> A.
>
> No. Group Policy preference items work in a Windows Server 2003 environment
> by being managed via either Windows Server 2008 or the GPMC update for
> Windows Vista with Service Pack 1.
>
> More information:
>
> •
>
> RSAT for Windows Vista SP1 32-Bit Edition<http://go.microsoft.com/fwlink/?LinkId=115118>
>
> •
>
> RSAT for Windows Vista SP1 64-Bit Edition<http://go.microsoft.com/fwlink/?LinkId=115117>
>
> Q.
>
> Which versions of Windows can be managed via Group Policy preference items?
>
> A.
>
> Windows Server 2008, Windows Vista, Windows Server 2003 with Service Pack
> 1, and Windows XP with Service Pack 2 can all be managed via Group Policy
> preference items.
>
>
> Okay I stand corrected .. you need 2k8 or Vista to control, but it can be
> deployed on anything.
>
> If that isn't a good reason for a Virtual Vista or 2k8, I don't know what
> is. :-)
>
> Thomas Vito wrote:
>
> Unfortunately i cannot use Group Policy Preferences extension.
> >From what i understand this needs a Windows Vista client or a Win2008
> server which i dont have yet available in my corporate network.
>
> I appreciate your feedback.
>
> Cheers!
>
> 2008/6/9 Darren Mar-Elia <darren@sdmsoftware.com>:
>
> Thomas-
>
> Do you have the ability to roll out the new Group Policy Preferences
> extension to all of your servers? If so, then this new feature has the
> ability to use GP to reset administrator passwords (or any local account
> password for that matter) in a reasonably secure way (i.e. the password is
> encrypted or at least hashed in SYSVOL). And, it solves your nesting problem
> since GPOs are automatically inherited.
>
>
>
> Darren
>
>
>
>
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Thomas Vito
> *Sent:* Monday, June 09, 2008 7:52 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] [Slightly OT] Local Admin password massive reset
>
>
>
> HI,
>
> I would like to reset the local admin password on all our servers
> (hopefully for me the password will be the same for all servers).
>
> I found that smart script who will do it or each OU i specify.
> My concern is that we have OU nestled into several other OUs which makes
> the script less powerful as sub-OUs wont be updated with the new password.
> Is there's a way to make this script behaves like " update the local admin
> account in that OU and its sub-OUs"?
>
>
> Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
> objOU.Filter = Array("Computer")
>
> For Each objItem in objOU
> strComputer = objItem.CN
> Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
> objUser.SetPassword("i5A2sj*!")
> Next
>
>
>
> List info : http://www.activedir.org/List.aspx List FAQ :
> http://www.activedir.org/ListFAQ.aspx List archive:
> http://www.activedir.org/ma/default.aspx
>
>
>
>
>
| | | |
| marwalshe
Posts:8
| | 07/16/2008 8:26 PM |
| Sounds like the machine is unavailable. Could it be powered off or removed leaving a machine account?
Adding some simple error handling to the script could show you where and why the script is failing. The following lines added to the script will show you which machines were processed and which were not, allowing you to investigate them at a later stage.
Set objOU = GetObject("LDAP://OU=Servers, OU=Amsterdam, DC=eu, DC=corp, DC=com")
objOU.Filter = Array("Computer")
On Error Resume Next
Err.Clear
For Each objItem in objOU
strComputer = objItem.CN
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
If Err.Number <> "0" Then
wscript.echo objItem.CN & " password not changed. Error: " & err.number
Else
objUser.SetPassword("!Nctr%l")
wscript.echo objItem.CN & " password changed."
End If
Err.clear
Next
Cheers,
MW
----- Original Message ----
From: Thomas Vito <shoktai@gmail.com>
To: ActiveDir@mail.activedir.org
Sent: Thursday, 12 June, 2008 9:07:54 AM
Subject: Re: [ActiveDir] [Slightly OT] Local Admin password massive reset
Friends,
I finally decided to ran the vbs script and this the output i get:
C:\Documents and Settings\atvito\Desktop>cscript pass.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
C:\Documents and Settings\atcapacci\Desktop\pass.vbs(6, 5) (null): The network p
ath was not found.
The script is:
Set objOU = GetObject("LDAP://OU=Servers, OU=Amsterdam, DC=eu, DC=corp, DC=com")
objOU.Filter = Array("Computer")
For Each objItem in objOU
strComputer = objItem.CN
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
objUser.SetPassword("!Nctr%l")
Next
I have tried to login with the admin password in the script and it won't work. The local admin accounts were disabled via GPO i have temporarily enabled them to perform the script.
Any ideas what goes wrong?
Thank you.
2008/6/10 Craig, Coleman <Coleman.Craig@lendingtree.com>:
Using Passgen you only have to memorize one passphrase, but each
machine has a different complex password.
http://msinfluentials.com/files/folders/jesper/entry6532.aspx
It is completely insecure. If one machine is compromised,
they all are.
From:ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Steve K
Sent: Tuesday, June 10, 2008 9:29 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [Slightly OT] Local Admin password massive
reset
There is one basic issue with
setting all machines with the same admin password. It is completely insecure.
If one machine is compromised, they all are. How long would it take an admin to
realize that a machine was penetrated? There should be a way for each machine
to have a different password and easily maintain them.
On Tue, Jun 10, 2008 at 9:15 AM, Brandon Shell <tshell@gmail.com> wrote:
While I am all aboard the GPO train, if that doesnt work...
this is VERY simple to script (if his assumptions that account is the same on
all machines.)
On Tue, Jun 10, 2008 at 5:50 AM, Richard Kline <richard@rkline.net>
wrote:
Not quite clear to me….
The overview is here: Group Policy Preferences Overview with additional
information at: Information
about new Group Policy preferences in Windows Server 2008
You can use the VISTA SP1 RSAT
tools to create the preference items. 2003 and XP can process the
preferences as long as the proper extensions are installed on each individual
client machine.
Windows 2008 does not actually
need to be part of the environment?
Thank you.
From:ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley
Sent: Tuesday, June 10, 2008 2:03 AM
To: ActiveDir@mail.activedir.org
Subject:Re: [ActiveDir] [Slightly OT] Local Admin password
massive reset
. Do I need to upgrade my domain to Windows Server 2008 to have this functionality?
A. No. Group Policy preference items work in a Windows Server 2003 environment by being managed via either Windows Server 2008 or the GPMC update for Windows Vista with Service Pack 1.
More information:
• RSAT for Windows Vista SP1 32-Bit Edition
• RSAT for Windows Vista SP1 64-Bit Edition
Q. Which versions of Windows can be managed via Group Policy preference items?
A. Windows Server 2008, Windows Vista, Windows Server 2003 with Service Pack 1, and Windows XP with Service Pack 2 can all be managed via Group Policy preference items.
Okay I stand corrected .. you need 2k8 or Vista to control, but it can be
deployed on anything.
If that isn't a good reason for a Virtual Vista or 2k8, I don't know what
is. :-)
Thomas Vito wrote:
Unfortunately i cannot use Group
Policy Preferences extension.
>From what i understand this needs a Windows Vista client or a Win2008
server which i dont have yet available in my corporate network.
I appreciate your feedback.
Cheers!
2008/6/9 Darren Mar-Elia <darren@sdmsoftware.com>:
Thomas-
Do you have the ability to roll
out the new Group Policy Preferences extension to all of your servers? If so,
then this new feature has the ability to use GP to reset administrator
passwords (or any local account password for that matter) in a reasonably
secure way (i.e. the password is encrypted or at least hashed in SYSVOL). And,
it solves your nesting problem since GPOs are automatically inherited.
Darren
From:ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thomas Vito
Sent: Monday, June 09, 2008 7:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [Slightly OT] Local Admin password massive reset
HI,
I would like to reset the local admin password on all our servers (hopefully
for me the password will be the same for all servers).
I found that smart script who will do it or each OU i specify.
My concern is that we have OU nestled into several other OUs which makes the
script less powerful as sub-OUs wont be updated with the new password. Is
there's a way to make this script behaves like " update the local admin
account in that OU and its sub-OUs"?
Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
objOU.Filter = Array("Computer")
For Each objItem in objOU
strComputer = objItem.CN
Set objUser = GetObject("WinNT://" &
strComputer & "/Administrator")
objUser.SetPassword("i5A2sj*!")
Next
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
__________________________________________________________
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html
| | | |
|
|