|
Posted by =?Utf-8?B?TWF0dA==?= on December 7, 2007, 9:58 am
If you were Registered and logged in, you could reply and use other advanced thread options
We have an environment with 17,000 pc's which we periodically change the
local administrator password with a vbscript using group policy.
Does anyone know a way to hide the new password in the script in case a user
navigates to the policy script file and opens it and reads it?
We have tried the MS script encoder to change the vbs file to vbe but there
is simple code on the internet that enables you to read it anyway.
|
|
Posted by Alun Jones on December 7, 2007, 12:19 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> We have an environment with 17,000 pc's which we periodically change the
> local administrator password with a vbscript using group policy.
>
> Does anyone know a way to hide the new password in the script in case a
> user
> navigates to the policy script file and opens it and reads it?
>
> We have tried the MS script encoder to change the vbs file to vbe but
> there
> is simple code on the internet that enables you to read it anyway.
No, there's really no good way to do this. However, rather than doing this
through a pull method, why not push the password change out? Any 'pull'
method is going to require that the machine doing the pulling can read the
password, whether it's in script, or hard-coded into an executable
As a developer, I know the NetUserChangePassword function is what I would
use to do this.
For a script writer, you probably want to do something like the advice
quoted in
http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1015.mspx,
except you really want to use ChangePassword, instead of SetPassword - you
know the old password, which is required by ChangePassword. If you call
SetPassword, you are forcing a password to be set, which has the nasty
side-effect of making your DPAPI-protected information (private keys, etc)
inaccessible.
Alun.
~~~~
|
|
Posted by Florian Frommherz [MVP] on December 8, 2007, 12:57 am
If you were Registered and logged in, you could reply and use other advanced thread options
Matt schrieb:
> Does anyone know a way to hide the new password in the script in case a user
> navigates to the policy script file and opens it and reads it?
I wouldn't do that locally on the machines. Try using a remote script
that changes the admin passwords on the machines for you:
http://www.frickelsoft.net/blog/?p=59
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
|
|
Posted by Roger Abell [MVP] on December 10, 2007, 4:01 am
If you were Registered and logged in, you could reply and use other advanced thread options
You have already, with 17,000 boxes, run into the issue of
tracking which machines have old and which new password.
There are alternatives to "enhance" the non-protection of the
trivial uuencoding of the script obsfucator. The main on is
from recognizing that the script used is a startup/shutdown
script that is run as the System account, and so the premissions
on the script in Syslogon needs a grant to Domain Computers,
not to anything that includes Domain Users. With that change
someone needs to first have an execution context that is running
as Local System on their domain joined computer in order to
see that the script is encoded.
Roger
> We have an environment with 17,000 pc's which we periodically change the
> local administrator password with a vbscript using group policy.
>
> Does anyone know a way to hide the new password in the script in case a
> user
> navigates to the policy script file and opens it and reads it?
>
> We have tried the MS script encoder to change the vbs file to vbe but
> there
> is simple code on the internet that enables you to read it anyway.
|
| Similar Threads | Posted | | Group policy login script | October 24, 2005, 9:48 am |
| Script to list member of Local Admin Group | February 6, 2008, 1:22 pm |
| Group policy | September 7, 2005, 11:15 am |
| Group Policy | October 8, 2005, 7:26 am |
| Group Policy | October 8, 2005, 12:07 pm |
| Group Policy | May 28, 2006, 9:32 am |
| Firewall and Group Policy | June 17, 2005, 10:03 am |
| Group Policy Foul up | July 11, 2005, 9:57 am |
| Group policy assistance | September 18, 2006, 7:23 pm |
| Hidden Group Policy | October 22, 2008, 9:34 am |
|
XML site map