Freigeben über


Solution for management of built-in Administrator account's password via GPO

Solution for management of builtin Administrator account's password via GPO using custom Client-Side GPO Extension (Author Jiri Formacek). Solution periodically changes pwd of admin account to random value; it stores current builtin admin password in AD confidential attribute on computer account

https://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789/view

 

  • Solution is designed to meet the following requirements

Password must be different on each workstation  

Password must not be guessable from name of workstation, MAC addresss, etc.

There must be a way for eligible people (IT support staff) to easily know the password when necessary

Password management solution must scale to support thousands of workstations

Password management solution must be easily deployable and manageable

Password management mechanism must be resistant against tampering with

Password management solution must support renaming of builtin Administrator account

Password management solution must offer the mechanism for bulk password change when necessary

Solution must support Windows 2000 and above. For Vista and Win7, support of both x86 and amd64 platforms is required

 

 

  • Installation process of complete solution includes procedures that will be performed manually. Those procedures include:

Mandatory: Schema extension

Mandatory: Delegation of permissions on computer accounts

Mandatory: Registration of CSE with GPO

Optional: Configuration of installation startup script in GPO – when installing via startup script

Mandatory: Installation of CSE on managed computer – via MSI

  • Or copy the AdmPwd.dll to target computer and call DllRegisterServer on it (via regsvr32.exe)

Optional: Installation of fat client and Powershell module – when using this types of management UI

Optional: Configuration of constrained delegation for web page – when using web page UI

 

 

Domain controller requirements.

1. Net Framework 4.0 or above

https://www.microsoft.com/en-us/download/confirmation.aspx?id=40779

 

2. AdmPwd setup

https://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789/file/97059/1/Installers.zip

 

 

 

For run AdmPwd.PS on powershell with NET. 4.0 you need to create a config file, named PowerShell.Exe.Config, located in the same folder as PowerShell.Exe.

 

1. Run the fallowing command from Powershell Add-Type -Path "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Numerics.dll"

2. Under C:\Windows\System32\WindowsPowerShell\1.0\ create a config file, named PowerShell.Exe.Config with this xml .

 

<?xml version="1.0"?>

<configuration>

    <startup useLegacyV2RuntimeActivationPolicy="true">

        <supportedRuntime version="v4.0.30319"/>

        <supportedRuntime version="v2.0.50727"/>

    </startup>

</configuration>

3. Restart the domain controller.

 

https://tfl09.blogspot.cz/2010/08/using-newer-versions-of-net-with.html

 

It is required to extend the schema of AD by two new attributes that store password of built-in Administrator account for each workstation and timestamp of password expiration.

AdmPwdExpirationTime and ms-MCS-AdmPwd

 

Method 1

Ldifde –i –f AdmPwd_SchemaUpdate.ldf –v –c CN=X #schemaNamingContext

 

Or

 

Method 2

Import-module AdmPwd.PS

Update-AdmPwdADSchema

 

 

The account which is using for extend schema must be member of Schema Admin

 

After schema extend , there will be 2 new attiributes on every computer object

 

 

Add Write permission to ms-MCS-AdmPwdExpirationTime and ms-MCS-AdmPwd attributes to SELF

Import-module AdmPwd.PS

Set-AdmPwdComputerSelfPermission -OrgUnit <name of ou>

 

 

Add CONTROL_ACCESS permission to ms-MCS-AdmPwd attribute

Import-module AdmPwd.PS

Set-AdmPwdReadPasswordPermission -OrgUnit <name of OU on which you want to delegate the permissions> -AllowedPrincipals <identification of users/groups that should be allowed to read password>

 

 

Add Write permission to ms-MCS-AdmPwdExpirationTime attribute 

Import-module AdmPwd.PS

Set-AdmPwdResetPasswordPermission -OrgUnit <name of OU on which you want to delegate the permissions> -AllowedPrincipals <identification of users/groups that should be allowed to reset password>

 

 

 

Registration of CSE with chosen Group Policy Object to make GPO framework trigger the execution of CSE when refresh event of specific GPO occurs.

 

 

Import-module AdmPwd.PS

Register-AdmPwdWithGPO -GpoIdentity:<name of GPO>

 

  

You must install to CSE on all managed computers or or copy the AdmPwd.dll to target computer and call DllRegisterServer on it (via regsvr32.exe)

https://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789/file/97059/1/Installers.zip

 

Remove All Extended rights permission

This task will be performed using AdsiEdit.msc tool using the following procedure:

  1.   Open AdsiEdit tool and navigate to OU that contains computer accounts that are in scope of the solution
  2.   Display Properties dialog box of the OU, click Permissions tab and click Advanced button
  3.   Locate any entry that has enabled the permission All extended rights in the permission list and should not be able to read the passwords
  4.   Click to clear the checkbox for this permission and confirm by clicking OK until you close all opened dialog boxes
  5.   Important: This will remove ALL extended rights, not only CONTROL_ACCESS right, so be sure that all roles will retain all necessary permissions required for their regular work.
  6.   Repeat this procedure for any additional containers that contain computer accounts that are in scope of the solution and are not subcontainers of already processed containers

 

 

https://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789/file/96116/1/Documentation.zip