| Author | Messages | |
deji
Posts:262
 | | 05/16/2006 6:59 AM |
| I got converted. I used to be a strong proponent of setting a common password
for the local admin account on all clients. The logic is that it enables
helpdesk people to log into desktops easily for support tasks. I used to
hardcode the passwords into a login script, and I used to justify the
security implication by saying that whoever can read the hardcoded password
knows too much already.
So, I got converted. Now, I set the password randomly to something long and
obnoxious that nobody knows. The password is generated on the fly and not
written anywhere. If a helpdesk support person needs to log into a client
computer as local admin, the passwords first reset remotely, and a "flag"
file is deleted from the computer. The absence of the "flag" file will force
the computer to process the password generating script again upon a reboot.
If the password can not be reset remotely, there is a WinPE "rescue disk", or
BartPE or Sysinternal's locksmith.
The point of all of this is that you do not HAVE to hardcode passwords into
your startup scripts.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Riley, Devin
Sent: Tue 5/16/2006 9:56 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Is there a way to force users to logon to domain?
You can use the following script as a startup script to change the local
Admin password. There is an obvious security issue with this, since you
will be storing the script in a Sysvol share for machines to read. You
can prevent users from browsing to and opening the file by restricting
access to "Domain Computers" and relevant IT Admin staff.
The script works even if the local Admin account name has been changed.
I don't recall where I got the original copy of the script.
Devin
=====================================================
Option Explicit
Dim objShell, objNet, sNewPassword, sComputer, sAdminName, oUserAccounts
Dim oUser
On Error Resume Next
Set objShell = WScript.CreateObject("WScript.Shell")
Set objNet = CreateObject("WScript.Network")
sNewPassword = "PutSomeReallyLongPasswordHere"
sComputer = objNet.ComputerName
sAdminName = GetAdministratorName
Set oUser = GetObject("WinNT://" & sComputer & "/" & sAdminName &
",user")
oUser.SetPassword sNewPassword
oUser.SetInfo
On Error Goto 0
objShell.LogEvent 4, "LP startup script LP04 run record."
'=======================================================================
===
' Get Admin Account Name
'=======================================================================
===
Function GetAdministratorName()
Dim sUserSID, objNet, oUserAccount
Set objNet = CreateObject("WScript.Network")
Set oUserAccounts = GetObject( _
"winmgmts://" & objNet.ComputerName & "/root/cimv2") _
.ExecQuery("Select Name, SID from Win32_UserAccount" _
& " WHERE Domain = '" & objNet.ComputerName & "'")
On Error Resume Next
For Each oUserAccount In oUserAccounts
If Left(oUserAccount.SID, 9) = "S-1-5-21-" And _
Right(oUserAccount.SID, 4) = "-500" Then
GetAdministratorName = oUserAccount.Name
Exit For
End if
Next
End Function
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Joe Lagreca
Sent: Tuesday, May 16, 2006 8:31 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?
Sergio,
That is the approach we are going to take. Write a script to run at
start up to delete all local accounts, except administrator, which only
we should know the password for.
Do you have any ideas on how to change local account passwords via GPO
or remotely? We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.
Thank you.
Joe
On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
wrote:
> Yeah, disregard what I said about just leaving Admins on the "allow
> logon locally" setting, that's my bad. I guess best thing to do would
> be delete all existing local user accounts.
>
> -Sergio
> -----Original Message-----
> From: Joe Lagreca [mailto:lagreca@xxxxxxxxx]
> Sent: Monday, May 15, 2006 7:33 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?
>
> Al and others,
>
> We are retrofitting previously deployed workstations. Some have local
> logins, while others do not. I was just wondering if there is a way,
> via GPO, to force all users to log into the domain, instead of giving
> them the option to log into their local machine.
>
> I have been told that "In a GPO set the cached logon setting to "0"
> and make sure "allow logon locally" is only set to Admins." will not
> work. However I still need to test this myself. I was told "allow
> logon locally" will make it so all unlisted users will not be able to
> login from that workstation, whether its locally or to the domain.
>
> I realize their profiles wouldn't copy, and we can deal with that
> afterwards.
>
> Thanks.
>
> Joe
>
>
> On 5/15/06, Al Mulnick wrote:
> > I think you've seen several ways of achieving something similar to
> > what you've asked for. But I'm curious as to what you really want
> > to accomplish. You've put something very specific, but what makes
> > you want to force the logon? What's the backstory?
> >
> > Al
> >
> > On 5/15/06, Joe Lagreca wrote:
> > > Is there a way to force users to logon to domain, or to disable
> > > loging
> into
> > > local computer accounts via GPO?
> > >
> > > Thanks.
> > >
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001348
Posts:0
| | 05/17/2006 1:01 AM |
| Not that I can read these easily, but...
What occurs to me is that you want the users to start using the domain logon only. If you set the cache to 0, as you likely reasoned out already, the user would have to be always connected. That's not good in an increasingly mobile clientele.
"Force" might be too strong a tactic. I think the better term here is "entice" the user to logon to the domain. "Coerce" might also be relevant. The easiest answer is to use policy and ease-of-use your way forward. Certainly you want to reduce the amount of logon locally by removing administrator access. That won't do a lot of good if the user is a local administrator. They could just do what they want anyway in that case. If you remove the administrative access, that's well and good, but there are drawbacks to that especially for mobile workers. Can be a PITA.
Making it desirable to logon via the domain is a low-stress way to get the users better trained and overall happier. Make it easier to logon to applications such as email, im, portal, etc if they also logon via AD. Have a password change policy (layer-8 policy reinforced with technical policy)that discourages using local logons and saving passwords if not prevents saving passwords locally.
Will you get 100% compliance from day 1? Not likely. Will you get 80-90%? More likely if you craft this policy and deployment well. You'll have some stragglers to deal with later, but you'll spend a lot less effort with much better results if you take the low-impact way up front.
Unless you have some other driving need to get to 100% compliance? If that's the case, then you'll have to take more drastic measures and break a few eggs while you make this omlete.
Al
Date: Wed, 17 May 2006 05:35:42 -0400From: abaker@xxxxxxxxxTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Is there a way to force users to logon to domain?
You can change them remotely.
http://www.ultratech-llc.com/KB/?File=Passwords.TXT
Changing them via GPO simply means that the password will have to reside locally on the system, and there's no reason for that...
-ASB
On 5/16/06, Joe Lagreca wrote:
Sergio,That is the approach we are going to take. Write a script to run atstart up to delete all local accounts, except administrator, which only we should know the password for.Do you have any ideas on how to change local account passwords via GPOor remotely? We would like to change the administrator passwordsinitially, and probably like to change it on a continual basis. Thank you.JoeOn 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS wrote:> Yeah, disregard what I said about just leaving Admins on the "allow logon > locally" setting, that's my bad. I guess best thing to do would be delete> all existing local user accounts.>> -Sergio> -----Original Message-----> From: Joe Lagreca [mailto: lagreca@xxxxxxxxx]> Sent: Monday, May 15, 2006 7:33 PM> To: ActiveDir@xxxxxxxxxxxxxxxxxx> Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? >> Al and others,>> We are retrofitting previously deployed workstations. Some have local> logins, while others do not. I was just wondering if there is a way,> via GPO, to force all users to log into the domain, instead of giving > them the option to log into their local machine.>> I have been told that "In a GPO set the cached logon setting to "0"> and make sure "allow logon locally" is only set to Admins." will not > work. However I still need to test this myself. I was told "allow> logon locally" will make it so all unlisted users will not be able to> login from that workstation, whether its locally or to the domain. >> I realize their profiles wouldn't copy, and we can deal with that> afterwards.>> Thanks.>> Joe>>> On 5/15/06, Al Mulnick wrote:> > I think you've seen several ways of achieving something similar to> > what you've asked for. But I'm curious as to what you really want to> > accomplish. You've put something very specific, but what makes you > > want to force the logon? What's the backstory?> >> > Al> >> > On 5/15/06, Joe Lagreca wrote:> > > Is there a way to force users to logon to domain, or to disable loging > into> > > local computer accounts via GPO?> > >> > > Thanks. | | | |
| AD000001004
Posts:0
| | 05/17/2006 6:26 AM |
| RE: [ActiveDir] Is there a way to force users to logon to domain?
nelson yong/IT/KSL
17/05/2006 02:25:29 PM | | | |
| davewade
Posts:116
| | 05/17/2006 8:22 AM |
| Providing you have up to date scripting engines loaded you can encrypt
the script to keep casual eyes away:-
http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4
873-B1B0-21F0626A6329&displaylang=en
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Riley, Devin
Sent: 16 May 2006 17:57
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Is there a way to force users to logon to
domain?
You can use the following script as a startup script to change the local
Admin password. There is an obvious security issue with this, since you
will be storing the script in a Sysvol share for machines to read. You
can prevent users from browsing to and opening the file by restricting
access to "Domain Computers" and relevant IT Admin staff.
The script works even if the local Admin account name has been changed.
I don't recall where I got the original copy of the script.
Devin
=====================================================
Option Explicit
Dim objShell, objNet, sNewPassword, sComputer, sAdminName, oUserAccounts
Dim oUser
On Error Resume Next
Set objShell = WScript.CreateObject("WScript.Shell")
Set objNet = CreateObject("WScript.Network")
sNewPassword = "PutSomeReallyLongPasswordHere"
sComputer = objNet.ComputerName
sAdminName = GetAdministratorName
Set oUser = GetObject("WinNT://" & sComputer & "/" & sAdminName &
",user")
oUser.SetPassword sNewPassword
oUser.SetInfo
On Error Goto 0
objShell.LogEvent 4, "LP startup script LP04 run record."
'=======================================================================
===
' Get Admin Account Name
'=======================================================================
===
Function GetAdministratorName()
Dim sUserSID, objNet, oUserAccount
Set objNet = CreateObject("WScript.Network")
Set oUserAccounts = GetObject( _
"winmgmts://" & objNet.ComputerName & "/root/cimv2") _
.ExecQuery("Select Name, SID from Win32_UserAccount" _
& " WHERE Domain = '" & objNet.ComputerName & "'")
On Error Resume Next
For Each oUserAccount In oUserAccounts
If Left(oUserAccount.SID, 9) = "S-1-5-21-" And _
Right(oUserAccount.SID, 4) = "-500" Then
GetAdministratorName = oUserAccount.Name
Exit For
End if
Next
End Function
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Joe Lagreca
Sent: Tuesday, May 16, 2006 8:31 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?
Sergio,
That is the approach we are going to take. Write a script to run at
start up to delete all local accounts, except administrator, which only
we should know the password for.
Do you have any ideas on how to change local account passwords via GPO
or remotely? We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.
Thank you.
Joe
On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
wrote:
> Yeah, disregard what I said about just leaving Admins on the "allow
> logon locally" setting, that's my bad. I guess best thing to do would
> be delete all existing local user accounts.
>
> -Sergio
> -----Original Message-----
> From: Joe Lagreca [mailto:lagreca@xxxxxxxxx]
> Sent: Monday, May 15, 2006 7:33 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?
>
> Al and others,
>
> We are retrofitting previously deployed workstations. Some have local
> logins, while others do not. I was just wondering if there is a way,
> via GPO, to force all users to log into the domain, instead of giving
> them the option to log into their local machine.
>
> I have been told that "In a GPO set the cached logon setting to "0"
> and make sure "allow logon locally" is only set to Admins." will not
> work. However I still need to test this myself. I was told "allow
> logon locally" will make it so all unlisted users will not be able to
> login from that workstation, whether its locally or to the domain.
>
> I realize their profiles wouldn't copy, and we can deal with that
> afterwards.
>
> Thanks.
>
> Joe
>
>
> On 5/15/06, Al Mulnick wrote:
> > I think you've seen several ways of achieving something similar to
> > what you've asked for. But I'm curious as to what you really want
> > to accomplish. You've put something very specific, but what makes
> > you want to force the logon? What's the backstory?
> >
> > Al
> >
> > On 5/15/06, Joe Lagreca wrote:
> > > Is there a way to force users to logon to domain, or to disable
> > > loging
> into
> > > local computer accounts via GPO?
> > >
> > > Thanks.
> > >
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD00000928
Posts:0
| | 05/17/2006 9:40 AM |
| | Message body was not found. | | | |
| AD00000854
Posts:0
| | 05/18/2006 10:05 AM |
| Return Receipt
Your RE: [ActiveDir] Is there a way to force users to logon to
document domain?
:
was Sudhir Kaushal/GIS/CSC
received
by:
at: 05/18/2006 11:03:46 AM GDT
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| kamleshap
Posts:57
| | 05/24/2006 8:32 AM |
| | Message body was not found. | | | |
|
|