Click here to get back home

Changing Admin PW on a large number of servers
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Changing Admin PW on a large number of servers Jay 04-08-2006
Posted by Jay on April 8, 2006, 3:57 pm
Please log in for more thread options
 We have a new polciy where the Admin PW has to be changed on all Win 2003
servers every week. If their a a tool that i can use to automate this as we
got about 100 servers.

Jay



Posted by Ronni Pedersen on April 9, 2006, 3:21 pm
Please log in for more thread options
 Hi Jay,

There are more questions than answers to this issue.
You can always make a script or something like that, but I really don’t like
that solution.

Do you really need the Admin user account?
This is what i would do:
1. Set the local admin password to <blank> (then you can't access the
machine over the network, with that user account)
2. Rename the local admin account to something else. (Just in case).
3. Disable the local admin account, using group policies.
4. Use domain accounts only.

There are absolutely no reasons whatsoever to use the local accounts.


--
Best Regards
Ronni Pedersen
Infrastructure Architect

"Jay" wrote:

> We have a new polciy where the Admin PW has to be changed on all Win 2003
> servers every week. If their a a tool that i can use to automate this as we
> got about 100 servers.
>
> Jay
>
>
>

Posted by Steven L Umbach on April 9, 2006, 6:33 pm
Please log in for more thread options
The problem with that approach is that it assumes all the servers are
physically secured and only those who should be able to access it physically
can do so and are authorized to have administrator access which may or may
not be the case here. If not then a regular user that has physical access
could potentially boot into Safe Mode and gain administrator access to the
server. Of course any user that can have physical access can be a threat but
I would still make sure the built in administrator account has a complex
password if these servers are not physically secured from everybody but
administrators as an additional barrier to entry and of course at least use
locked computer cases that also block access to the drives, password protect
cmos settings, and configure to boot only from the system drive though that
may not prevent access by the truly skilled and malicious which is why
physical security is important. --- Steve


> Hi Jay,
>
> There are more questions than answers to this issue.
> You can always make a script or something like that, but I really don't
> like
> that solution.
>
> Do you really need the Admin user account?
> This is what i would do:
> 1. Set the local admin password to <blank> (then you can't access the
> machine over the network, with that user account)
> 2. Rename the local admin account to something else. (Just in case).
> 3. Disable the local admin account, using group policies.
> 4. Use domain accounts only.
>
> There are absolutely no reasons whatsoever to use the local accounts.
>
>
> --
> Best Regards
> Ronni Pedersen
> Infrastructure Architect
>
> "Jay" wrote:
>
>> We have a new polciy where the Admin PW has to be changed on all Win 2003
>> servers every week. If their a a tool that i can use to automate this as
>> we
>> got about 100 servers.
>>
>> Jay
>>
>>
>>



Posted by Roger Abell [MVP] on April 10, 2006, 11:12 am
Please log in for more thread options
> The problem with that approach is that it assumes all the servers are
> physically secured and only those who should be able to access it
> physically can do so and are authorized to have administrator access which
> may or may not be the case here. If not then a regular user that has
> physical access could potentially boot into Safe Mode and gain
> administrator access to the server. Of course any user that can have
> physical access can be a threat but I would still make sure the built in
> administrator account has a complex password if these servers are not
> physically secured from everybody but administrators as an additional
> barrier to entry and of course at least use locked computer cases that
> also block access to the drives, password protect cmos settings, and
> configure to boot only from the system drive though that may not prevent
> access by the truly skilled and malicious which is why physical security
> is important. --- Steve
>

I shutter at the disenchanted, and soon to leave employ, machine room
operations staff, or even janitorial staff, scenario


>
>> Hi Jay,
>>
>> There are more questions than answers to this issue.
>> You can always make a script or something like that, but I really don't
>> like
>> that solution.
>>
>> Do you really need the Admin user account?
>> This is what i would do:
>> 1. Set the local admin password to <blank> (then you can't access the
>> machine over the network, with that user account)
>> 2. Rename the local admin account to something else. (Just in case).
>> 3. Disable the local admin account, using group policies.
>> 4. Use domain accounts only.
>>
>> There are absolutely no reasons whatsoever to use the local accounts.
>>
>>
>> --
>> Best Regards
>> Ronni Pedersen
>> Infrastructure Architect
>>
>> "Jay" wrote:
>>
>>> We have a new polciy where the Admin PW has to be changed on all Win
>>> 2003
>>> servers every week. If their a a tool that i can use to automate this as
>>> we
>>> got about 100 servers.
>>>
>>> Jay
>>>
>>>
>>>
>
>



Posted by Steven L Umbach on April 9, 2006, 6:50 pm
Please log in for more thread options
You could either use a Group Policy "startup" script that uses the net user
command [net help users if you need more info] or a more sophisticated
script that would work regardless of administrator account name and report
if computer was not active or a utility such as cusrmgr or pspasswd that can
be used in a batch file. The links below explain more. Group Policy startup
scripts do not need read permissions for authenticated users which you
should remove and add domain computers or else users could possibly navigate
to the sysvol share and read the script to obtain the password. Of course
startup scripts would not run until the computer has been restarted. ---
Steve

http://support.microsoft.com/kb/322241/EN-US/ --- Group Policy startup
script
http://www.sysinternals.com/Utilities/PsPasswd.html --- PsPasswd. Note that
it can refer to a filename with computer names which may need to be full
qualified names.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q272530 --- this
would be something to consider if you need different passwords for each
server.
http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1015.mspx


> We have a new polciy where the Admin PW has to be changed on all Win 2003
> servers every week. If their a a tool that i can use to automate this as
> we got about 100 servers.
>
> Jay
>



Similar ThreadsPosted
copy a large number of files / preserve the permissions May 31, 2005, 10:21 am
Access Denied after changing Servers September 25, 2006, 8:03 pm
Changing local admin password on a set of machine in an ad network ? June 6, 2005, 1:28 pm
Best practices for local admin account on servers? June 2, 2006, 1:46 pm
Allowing a Domain User Admin Rights to a Couple of Domain Servers June 29, 2005, 8:13 pm
Hidden attribute set across large chunk of files June 14, 2005, 3:43 pm
Autoenrollment error number 6 October 4, 2005, 10:39 am
Port Number Security December 1, 2007, 10:08 am
Number of logons when disconnected from the Domain? August 4, 2006, 2:37 am
How to use "Number of Previous Logons to Cache" setting September 5, 2005, 4:18 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap