I had a request the other day from someone who knows some of my work. He had seen my scripts for manipulating local accounts on machines but couldn't make sense of them. (This was essentially because he was only seeing half of the system.) He asked if I could explain them in my blog, so here goes...
There are many different methods for manipulating local accounts on machines. Some companies make a profit from selling software that will go and talk to all of the machines and change passwords, accounts, group memberships, etc. Surprisingly, Microsoft has not yet integrated any system for easy management of local computer accounts into their own domain management systems. (Edit: Of course Microsoft has finally done something about this and you can now use Group Policy Preferences to manage local accounts quite easily. I thoroughly recommend using Group Policy instead of the method described here!)
Anyway, one way to achieve this is to use the Group Policy system. Computers run the Computer Startup Scripts with system administrative rights (Computer Configuration / Windows Settings / Scripts / Startup.) This enables the savvy administrator to run a script that can be used to manipulate local accounts.
What about the fact that the passwords may be exposed in the script? Some administrators will suggest that you do it in VBScript and then encrypt it. This is not a good idea because it is far too easy to decrypt these files. IMHO, it is much better to let Microsofts domain security protect it for you. (I can't believe I just said that. Scary but true!)
You can place these 'scriptlets' below in your scripts folder and pass the required parameters to them from your GPO. You secure your GPO by removing Authenticated Users from having read and apply group policies rights and giving Domain Computers read and apply group policy rights. Using this method, the users cannot see the new passwords, but the computers which are running the scripts can.
There is a caveat. The computers have to be processing group policies in order to run the scripts. This may be prevented by slow link detection, the behaviour of which can be modified. It may also not be processed by computers coming into the network by remote access. A user logging into the computer by remote access can process the scripts, but a user logging into your VPN or dial-up after logging in the computer using cached credentials will not process the scripts.
IDCHPASS.BAT: Used to Change a local user identity password.
@ECHO OFF
REM USAGE: IDCHPASS username newpassword
NET USER %1 %2
IDCREATE.BAT: Used to create a local identity.
@ECHO OFF
REM USAGE: IDCREATE username password
NET USER %1 %2 /ADD
IDDELETE.BAT: Used to delete a local identity.
@ECHO OFF
REM USAGE: IDDELETE username
NET USER %1 /DELETE
IDENABLE.BAT: Used to enable or disable a local identity.
@ECHO OFF
REM USAGE: IDENABLE username YES\NO
NET USER %1 /ACTIVE:%2
IDGROUP.BAT: Used to change the group membership of a local identity, or to create or delete local groups.
@ECHO OFF
REM USAGE: IDGROUP group ADD\DELETE username
REM USERNAME IS ADDED TO OR DELETED FROM GROUP
REM USERNAME CAN BE LEFT OFF TO ADD OR DELETE GROUPS
NET LOCALGROUP %1 %3 /%2
A shoutout goes to ripvankip for giving me something to write about! ;)
Sean
Sunday, November 15, 2009
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment