Local User GPO - change?
-
Am I missing something? I went to modify a GPO I created a few weeks ago... The password areas are grayed now, whereas they haven't ever been gray before... Changing the actions does nothing. I'm just trying to change the local admin password on all servers.
-
You're in the Preferences area of GPO, generally, those are an apply once and never again - could that apply here? So you'd have to delete it, then add it to make a change?
For something like this I think I would rather use the Policies area - ok not rather, I do use the Policies area
Policies > Windows Settings > Security Settings > Restricted Groups -
Well - double checking.. that doesn't change the user account, that only deals with groups.. so... nevermind.
-
In common, you can set to apply once and do not reapply, but that's just for the GPO processing. I'm definitely missing something here.
-
Microsoft took this feature away a while ago...
https://blogs.technet.microsoft.com/srd/2014/05/13/ms14-025-an-update-for-group-policy-preferences/
-
-
@IRJ said:
Microsoft took this feature away a while ago...
https://blogs.technet.microsoft.com/srd/2014/05/13/ms14-025-an-update-for-group-policy-preferences/
Thaaat really sucks. How is everyone else doing that same function anymore?
-
@IRJ Doesn't look like Netwrix is going to be able to do what we need, nearly as easily as deploying a GPO to the server OU.
-
@IRJ Checking out LAPS**
-
Could you deploy a powershell script and have that execute?
-
@dafyre said:
Could you deploy a powershell script and have that execute?
I considered that. Drop it into a scheduled task somewhere. But that's not as central as having a persistent GPO. That was unsecure, I get that. But to completely undo that process instead of making it more secure? That sucks. I know convenience and security need a balance. But you should give the option of central management and just have a "beware: this is unsecure" kind of move. Or release a tool that is very similar. I'm installing LAPS on a management server. Anyone tried it?
-
LAPS looks like garbage, you can't do bulk....
-
This is how I do it.
https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0
I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.
-
-
This post is deleted! -
Beat me to it
-
@IRJ said:
This is how I do it.
https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0
I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.
Good work around I guess. So you schedule it to redeploy then? We add lots of servers to our environment regularly, so a persistent change is necessary to always make sure a server is changing the local admin, in case it is needed.
-
@BBigford said:
@IRJ said:
This is how I do it.
https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0
I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.
Good work around I guess. So you schedule it to redeploy then? We add lots of servers to our environment regularly, so a persistent change is necessary to always make sure a server is changing the local admin, in case it is needed.
Yeah, but also update your server and desktop images with the latest passwords to make things easier.
-
@BBigford said:
@IRJ said:
This is how I do it.
https://drive.google.com/open?id=0B-Zj7y7G1-C_aGFCeFI1Vzk4Zzh1eHN3ZDY3Rkg5YXVscDg0
I am having trouble uploading that image for some reason on ML. If someone could upload it for me, that would be great.
Good work around I guess. So you schedule it to redeploy then? We add lots of servers to our environment regularly, so a persistent change is necessary to always make sure a server is changing the local admin, in case it is needed.
You could do it weekly, daily, or even hourly. The script has hardly any network impact.
-
P.S.
It is good practice to rename your local Administrator accounts to something other than Administrator. I do that with Group Policy then set the password for the updated account name once it is changed by Group Policy.
