Main Nav

Has anyone come across a good method for changing local administrator passwords on many computers?
I've looked into:
pspasswd from sysinternals
group policy preferences
SCCM scripts

I'm not impressed with how GPP obfuscates the password, scripts are insecure(?) and pspasswd is not very ellegant since it requires the computer to be alive at the time its run.
Any other ideas?
--
Jason Gates
IT Security Consultant
Southern Adventist University

Comments

There are a number of commercial vendor solutions of SAPM (Gartner term – Secure Administrator Password Management) packages to track, set, reset and invalidate local administrator and 'service' accounts across servers :

Cyber-Ark
Lieberman
Symark (PowerKeeper)
CA
Etc…

From: Jason Gates <jasongates@SOUTHERN.EDU>
Reply-To: EDUCAUSE Listserv <SECURITY@LISTSERV.EDUCAUSE.EDU>
Date: Friday, October 5, 2012 12:20 PM
To: EDUCAUSE Listserv <SECURITY@LISTSERV.EDUCAUSE.EDU>
Subject: [SECURITY] Local Administrator password change for many computers

Has anyone come across a good method for changing local administrator passwords on many computers?
I've looked into:
pspasswd from sysinternals
group policy preferences
SCCM scripts

I'm not impressed with how GPP obfuscates the password, scripts are insecure(?) and pspasswd is not very ellegant since it requires the computer to be alive at the time its run.
Any other ideas?
--
Jason Gates
IT Security Consultant
Southern Adventist University

Message from george.chiorescu@provision.ro

Why aren't you using group policy? I saw you looked into it.

George
I was concerned about how GPP stores the credentials. From what I read, any authenticated user could read SYSVOL, and the key used to encrypt the password is easily attainable. 

sources:

--
Jason Gates
IT Security Consultant
Southern Adventist University

I use the "Danish Company PasswordChanger" (DCPC) to mass change passwords.  It looks like the site (http://www.danish-company.com/dcpc) has gone offline and the license agreement says:

 

This program has been released as freeware under the following conditions:

 

1. It is not to be distributed via the internet or via any other media

without the prior approval of the author. In particular, it is not to be

made available from internet sites which promote the illegal

modification of software

 

so I cannot post it for download, but someone did here http://www.billthecomputerguy.com/itsupport and its MD5 sum matches mine.  If you or someone else wants, I can email you the 204 KB zip file.

-Eric

 

 

Eric Case, CISSP

eric (at) ericcase (dot) com

http://www.linkedin.com/in/ericcase

(520) 344-CISO (2476)