End User Software Management When Running as Normal Users on Windows
-
@Brett said:
Also please note that you do not want LAPS to apply to domain controllers since they have no local accounts. It will change the domain's Administrator account password. I found that out while testing LAPS.
I still use it on servers, just not DCs.
Doh! it changes Domain Admin accounts - that's not cool. Though, I guess this means that your domain admin account name was the same as the local account? or are you talking specifically about the Administrator account?
I've changed the name of my Domain Administrator account so that's not an issue.
-
@Dashrender said:
@Brett said:
Also please note that you do not want LAPS to apply to domain controllers since they have no local accounts. It will change the domain's Administrator account password. I found that out while testing LAPS.
I still use it on servers, just not DCs.
Doh! it changes Domain Admin accounts - that's not cool. Though, I guess this means that your domain admin account name was the same as the local account? or are you talking specifically about the Administrator account?
I've changed the name of my Domain Administrator account so that's not an issue.
Yes, you're exactly right. So, as I'm sure you know but just to be clear, by default the built-in Administrator account is named Administrator on all Windows and Windows Server OSes. And when you upgrade a server to become a DC for the first time in an environment it converts that built-in Administrator account into the domain's Administrator account, and it's still named Administrator. (So suddenly you go from using ServerName\Administrator to the all-powerful NetBIOSDomainName\Administrator with the same password the first time you create a DC.)
LAPS by default changes the account named Administrator, whether it's just a local built-in account on a workstation or server or the domain account. So if you haven't changed LAPS away from the defaults and you haven't changed your built-in Administrator account (either on a workstation or on the DCs) it will change their password.
I like to leave the built-in Administrator accounts alone on the workstations. They're disabled by default and when you first install Windows it has you create an alternative local admin account anyway. So I figure there's some purpose behind that. Plus, I've read that even if you rename the built-in Administrator account it's trivial for attackers to find them b/c their SID is unique and stays the same no matter what the name is changed to. It's another example of how security through obscurity doesn't really work. So that's why I opt to leave them disabled and create an account named LocalAdmin instead and I change the LAPS policy to target these for password changes.
Regarding the built-in domain administrator account named Administrator, I generally leave it in the hands of my clients, as an in-case-of-emergency-use-this-account. But for everyday administration it's never touched. So I just don't apply the LAPS GPO to the DC OU to be absolutely sure, but by the fact that I have the LAPS policy changed to target accounts named LocalAdmin it shouldn't affect them anyway.
I hope that made sense!
-
@Brett said:
I like to leave the built-in Administrator accounts alone on the workstations. They're disabled by default and when you first install Windows it has you create an alternative local admin account anyway. So I figure there's some purpose behind that.
I'm guessing they are there for legacy support, nothing more.
As for the system having you make a new one when you first install Windows - do they? I haven't see that. What I mean is - sure Windows has you make a new account but they in no way tell you it's a local admin account, which is just sad! Even Apple has you create an admin account and I'm pretty sure right after that they make you make an non-admin account for daily use.
So, yeah the first new account created is an admin account, but this in now way helps the user to have a more secure environment, but most will never create a second account.
I typically don't enable the local admin account either. I do have GPO change it's password to something, so that process could be changed to use LAPS. I also have my GPO remove the during install created user from the local admin group (really it removes everything that I don't explicitly allow). Then I have it add my global Domain PC Admin group to the local Admins group.
-
@Brett said:
Plus, I've read that even if you rename the built-in Administrator account it's trivial for attackers to find them b/c their SID is unique and stays the same no matter what the name is changed to. It's another example of how security through obscurity doesn't really work. So that's why I opt to leave them disabled and create an account named LocalAdmin instead and I change the LAPS policy to target these for password changes.
I have heard that finding the admin account through the SID is trivial. So I'm wondering, is your newly added account also trivially found via SID? If so, potato - potato... but if not, then cool, you've gained some small amount of security.
-
@Dashrender said:
@Brett said:
Plus, I've read that even if you rename the built-in Administrator account it's trivial for attackers to find them b/c their SID is unique and stays the same no matter what the name is changed to. It's another example of how security through obscurity doesn't really work. So that's why I opt to leave them disabled and create an account named LocalAdmin instead and I change the LAPS policy to target these for password changes.
I have heard that finding the admin account through the SID is trivial. So I'm wondering, is your newly added account also trivially found via SID? If so, potato - potato... but if not, then cool, you've gained some small amount of security.
I think that it can be found easily. What I'm not sure is if it can be identified as the admin account easily.
-
@scottalanmiller I think the only SID that can be easily identified as and admin account is the default Administrator account.
-
Boy that's pretty sad if the SID of the local admin is either static across all Windows machines, or if not static is somehow easy for non admin users of the system to discover that fact - that seems wrong..
-
@brianlittlejohn said:
@scottalanmiller I think the only SID that can be easily identified as and admin account is the default Administrator account.
That's what I've always believed.
-
@Dashrender said:
Boy that's pretty sad if the SID of the local admin is either static across all Windows machines, or if not static is somehow easy for non admin users of the system to discover that fact - that seems wrong..
Same on UNIX. Common UID (UNIX SID) across all OSes.
-
A list of well known SID info:
-
@Brett Depending on what FFL or DFL you are on, you won't even be able to use GPP to create a user because of the lack of password access in newer versions. I tried and it wouldn't work because I had to have a password per the policy but I couldn't add one per the change in GPP. The workaround was a script that I have for new machines that adds a local account via GPO startup script then adds it to the local administrators group. The new PC stays in a temporary OU for a few things to be installed, then moved to the permanent OU where the remaining items are run, including the installation of LAPS, which then changes the newly-created local admin password.
Here is the bat file that is called in the startup:
net user "My Admin" mypassword /add /passwordreq:yes /fullname:"My Admin"
net localgroup Administrators "My Admin" /add
