Local User GPO - change?

Dashrender

Well - double checking.. that doesn't change the user account, that only deals with groups.. so... nevermind.

bbigford

In common, you can set to apply once and do not reapply, but that's just for the GPO processing. I'm definitely missing something here.

IRJ

Microsoft took this feature away a while ago...

https://blogs.technet.microsoft.com/srd/2014/05/13/ms14-025-an-update-for-group-policy-preferences/

IRJ

http://img.memecdn.com/windows-update_o_1419675.jpg

bbigford

@IRJ said:

Microsoft took this feature away a while ago...

https://blogs.technet.microsoft.com/srd/2014/05/13/ms14-025-an-update-for-group-policy-preferences/

Thaaat really sucks. How is everyone else doing that same function anymore?

bbigford

@IRJ Doesn't look like Netwrix is going to be able to do what we need, nearly as easily as deploying a GPO to the server OU.

bbigford

@IRJ Checking out LAPS**

dafyre

Could you deploy a powershell script and have that execute?

bbigford

@dafyre said:

Could you deploy a powershell script and have that execute?

I considered that. Drop it into a scheduled task somewhere. But that's not as central as having a persistent GPO. That was unsecure, I get that. But to completely undo that process instead of making it more secure? That sucks. I know convenience and security need a balance. But you should give the option of central management and just have a "beware: this is unsecure" kind of move. Or release a tool that is very similar. I'm installing LAPS on a management server. Anyone tried it?

bbigford

LAPS looks like garbage, you can't do bulk....

IRJ

This is how I do it.

https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0

I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.

bbigford

@IRJ 0_1460142052514_PW change.jpg

wirestyle22

This post is deleted!

wirestyle22

Beat me to it

bbigford

@IRJ said:

This is how I do it.

https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0

I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.

Good work around I guess. So you schedule it to redeploy then? We add lots of servers to our environment regularly, so a persistent change is necessary to always make sure a server is changing the local admin, in case it is needed.

IRJ

@BBigford said:

@IRJ said:

This is how I do it.

https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0

I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.

Good work around I guess. So you schedule it to redeploy then? We add lots of servers to our environment regularly, so a persistent change is necessary to always make sure a server is changing the local admin, in case it is needed.

Yeah, but also update your server and desktop images with the latest passwords to make things easier.

IRJ

@BBigford said:

@IRJ said:

This is how I do it.

https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0

I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.

Good work around I guess. So you schedule it to redeploy then? We add lots of servers to our environment regularly, so a persistent change is necessary to always make sure a server is changing the local admin, in case it is needed.

You could do it weekly, daily, or even hourly. The script has hardly any network impact.

IRJ

P.S.

It is good practice to rename your local Administrator accounts to something other than Administrator. I do that with Group Policy then set the password for the updated account name once it is changed by Group Policy.

wrx7m

I ran into this problem a few months ago, though some time after an upgrade of the AD schema from 47 to 69.

I solved it by using a bat file that runs as a startup script right after an MDT deployment.

net user "My Admin" PasswordGoesHere /add /passwordreq:yes /fullname:"My Admin"
net localgroup Administrators "My Admin" /add

After the new PC is then moved to its final OU, LAPS is installed and a new random password is applied.

bbigford

@wrx7m said:

I ran into this problem a few months ago, though some time after an upgrade of the AD schema from 47 to 69.

I solved it by using a bat file that runs as a startup script right after an MDT deployment.

net user "My Admin" PasswordGoesHere /add /passwordreq:yes /fullname:"My Admin"
net localgroup Administrators "My Admin" /add

After the new PC is then moved to its final OU, LAPS is installed and a new random password is applied.

Hypothetically, what if you had to run LAPS against 100 servers? Growing by 10 servers every month and you don't build them all, so you don't know if the passwords are all getting set locally with the right password ... Would you still feel that is the best tool since you can't run LAPS against groups of servers like an OU?