Main Nav

Has anyone come across a good method for changing local administrator passwords on many computers?
I've looked into:
pspasswd from sysinternals
group policy preferences
SCCM scripts

I'm not impressed with how GPP obfuscates the password, scripts are insecure(?) and pspasswd is not very ellegant since it requires the computer to be alive at the time its run.
Any other ideas?
--
Jason Gates
IT Security Consultant
Southern Adventist University

Comments

There are a number of commercial vendor solutions of SAPM (Gartner term – Secure Administrator Password Management) packages to track, set, reset and invalidate local administrator and 'service' accounts across servers :

Cyber-Ark
Lieberman
Symark (PowerKeeper)
CA
Etc…

From: Jason Gates <jasongates@SOUTHERN.EDU>
Reply-To: EDUCAUSE Listserv <SECURITY@LISTSERV.EDUCAUSE.EDU>
Date: Friday, October 5, 2012 12:20 PM
To: EDUCAUSE Listserv <SECURITY@LISTSERV.EDUCAUSE.EDU>
Subject: [SECURITY] Local Administrator password change for many computers

Has anyone come across a good method for changing local administrator passwords on many computers?
I've looked into:
pspasswd from sysinternals
group policy preferences
SCCM scripts

I'm not impressed with how GPP obfuscates the password, scripts are insecure(?) and pspasswd is not very ellegant since it requires the computer to be alive at the time its run.
Any other ideas?
--
Jason Gates
IT Security Consultant
Southern Adventist University

Message from george.chiorescu@provision.ro

Why aren't you using group policy? I saw you looked into it.

George
I was concerned about how GPP stores the credentials. From what I read, any authenticated user could read SYSVOL, and the key used to encrypt the password is easily attainable. 

sources:

--
Jason Gates
IT Security Consultant
Southern Adventist University

I use the "Danish Company PasswordChanger" (DCPC) to mass change passwords.  It looks like the site (http://www.danish-company.com/dcpc) has gone offline and the license agreement says:

 

This program has been released as freeware under the following conditions:

 

1. It is not to be distributed via the internet or via any other media

without the prior approval of the author. In particular, it is not to be

made available from internet sites which promote the illegal

modification of software

 

so I cannot post it for download, but someone did here http://www.billthecomputerguy.com/itsupport and its MD5 sum matches mine.  If you or someone else wants, I can email you the 204 KB zip file.

-Eric

 

 

Eric Case, CISSP

eric (at) ericcase (dot) com

http://www.linkedin.com/in/ericcase

(520) 344-CISO (2476)

 

Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.