Solution for management of built-in Administrator account's password via GPO
Solution for management of builtin Administrator account's password via GPO using custom Client-Side GPO Extension (Author Jiri Formacek). Solution periodically changes pwd of admin account to random value; it stores current builtin admin password in AD confidential attribute on computer account
https://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789/view
- Solution is designed to meet the following requirements
Password must be different on each workstation
Password must not be guessable from name of workstation, MAC addresss, etc.
There must be a way for eligible people (IT support staff) to easily know the password when necessary
Password management solution must scale to support thousands of workstations
Password management solution must be easily deployable and manageable
Password management mechanism must be resistant against tampering with
Password management solution must support renaming of builtin Administrator account
Password management solution must offer the mechanism for bulk password change when necessary
Solution must support Windows 2000 and above. For Vista and Win7, support of both x86 and amd64 platforms is required
- Installation process of complete solution includes procedures that will be performed manually. Those procedures include:
Mandatory: Schema extension
Mandatory: Delegation of permissions on computer accounts
Mandatory: Registration of CSE with GPO
Optional: Configuration of installation startup script in GPO – when installing via startup script
Mandatory: Installation of CSE on managed computer – via MSI
- Or copy the AdmPwd.dll to target computer and call DllRegisterServer on it (via regsvr32.exe)
Optional: Installation of fat client and Powershell module – when using this types of management UI
Optional: Configuration of constrained delegation for web page – when using web page UI
Domain controller requirements.
1. Net Framework 4.0 or above
https://www.microsoft.com/en-us/download/confirmation.aspx?id=40779
2. AdmPwd setup
For run AdmPwd.PS on powershell with NET. 4.0 you need to create a config file, named PowerShell.Exe.Config, located in the same folder as PowerShell.Exe.
1. Run the fallowing command from Powershell Add-Type -Path "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Numerics.dll"
2. Under C:\Windows\System32\WindowsPowerShell\1.0\ create a config file, named PowerShell.Exe.Config with this xml .
<?xml version="1.0"?>
<configuration>
<startup useLegacyV2RuntimeActivationPolicy="true">
<supportedRuntime version="v4.0.30319"/>
<supportedRuntime version="v2.0.50727"/>
</startup>
</configuration>
3. Restart the domain controller.
https://tfl09.blogspot.cz/2010/08/using-newer-versions-of-net-with.html
It is required to extend the schema of AD by two new attributes that store password of built-in Administrator account for each workstation and timestamp of password expiration.
AdmPwdExpirationTime and ms-MCS-AdmPwd
Method 1
Ldifde –i –f AdmPwd_SchemaUpdate.ldf –v –c CN=X #schemaNamingContext
Or
Method 2
Import-module AdmPwd.PS
Update-AdmPwdADSchema
The account which is using for extend schema must be member of Schema Admin
After schema extend , there will be 2 new attiributes on every computer object
Add Write permission to ms-MCS-AdmPwdExpirationTime and ms-MCS-AdmPwd attributes to SELF
Import-module AdmPwd.PS
Set-AdmPwdComputerSelfPermission -OrgUnit <name of ou>
Add CONTROL_ACCESS permission to ms-MCS-AdmPwd attribute
Import-module AdmPwd.PS
Set-AdmPwdReadPasswordPermission -OrgUnit <name of OU on which you want to delegate the permissions> -AllowedPrincipals <identification of users/groups that should be allowed to read password>
Add Write permission to ms-MCS-AdmPwdExpirationTime attribute
Import-module AdmPwd.PS
Set-AdmPwdResetPasswordPermission -OrgUnit <name of OU on which you want to delegate the permissions> -AllowedPrincipals <identification of users/groups that should be allowed to reset password>
Registration of CSE with chosen Group Policy Object to make GPO framework trigger the execution of CSE when refresh event of specific GPO occurs.
Import-module AdmPwd.PS
Register-AdmPwdWithGPO -GpoIdentity:<name of GPO>
You must install to CSE on all managed computers or or copy the AdmPwd.dll to target computer and call DllRegisterServer on it (via regsvr32.exe)
Remove All Extended rights permission
This task will be performed using AdsiEdit.msc tool using the following procedure:
- Open AdsiEdit tool and navigate to OU that contains computer accounts that are in scope of the solution
- Display Properties dialog box of the OU, click Permissions tab and click Advanced button
- Locate any entry that has enabled the permission All extended rights in the permission list and should not be able to read the passwords
- Click to clear the checkbox for this permission and confirm by clicking OK until you close all opened dialog boxes
- Important: This will remove ALL extended rights, not only CONTROL_ACCESS right, so be sure that all roles will retain all necessary permissions required for their regular work.
- Repeat this procedure for any additional containers that contain computer accounts that are in scope of the solution and are not subcontainers of already processed containers
