MS14-025 - Ran into this one today...

Started by Melbosa, December 01, 2014, 04:48:49 PM

Previous topic - Next topic

Melbosa

https://support.microsoft.com/kb/2962486 - Pain in my ass now to try and manage thousands of Lab computer's local admin passwords...

http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx - So yeah, turns out forever in the Microsoft domains, if you have been using Users/Passwords in GPO to auto assign drives or set local admin accounts, etc, turns out those passwords are stored in AES encrypted plain text on your GPO objects fully viewable to all in your domain.  Not a big deal until you find out you can get that AES encryption hash from MSDN very easily according to this article.  Now I understand why MS14-025 exists...

Now I have a big challenge to figure out how to maintain the local Administrator accounts on the domain computers.  I can think of many ways to do it, but none as easy as you used to be able to with a GPO, and definitely not as fun to implement.  Easiest would be to buy software to do it for me but meh, I work for Public Sector so that ain't going to happen easily.

/EndMyDayActivities
Sometimes I Think Before I Type... Sometimes!

Lazybones

Do you have SCCM? If its user has sufficient rights you should be able to carry out most changes you want locally.

i am actually more curious as to the impact on scheduled tasks / creation of scheduled tasks..

Melbosa

SCCM might work. Unfortunately a completely different set of teams and access level between GPO and sccm at Nait. But will look into what I can do through it.
Sometimes I Think Before I Type... Sometimes!

Lazybones

Quote from: Melbosa on December 01, 2014, 05:43:23 PM
SCCM might work. Unfortunately a completely different set of teams and access level between GPO and sccm at Nait. But will look into what I can do through it.

The bigger you are the harder it is to get anything done.. :)