Local admin password management solution

Local admin password management solution works using GPO and custom Client-Side GPO Extension. Solution periodically changes pwd of admin account to random value; it stores current builtin admin password in AD confidential attribute on computer account

 
 
 
 
 
4.6 Star
(58)
Add to favorites
11/26/2016
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Could not write changed password to AD. Error 0x80070010
    2 Posts | Last post April 20, 2015
    • Just curious if anyone else found a way to get servers in a perimeter to update their password?  I have some that do in the perimeter and some that do not.  A mix of Server 2008 R2 and Server 2012R2.
      
      thanks!
      Franz
    • Hi Franz,
      this is due to RODC; RODC support will be in upcoming version, to be released this month; I will post update here ince it's out
      
      Jiri
  • Password issue
    2 Posts | Last post April 12, 2015
    • I am experiencing an issue , That I did try to use the password which reflecting under Adsi.edit.msc console,it works in first attempt on Windows XP, however when i tried to use it again on next day , it is not working.
      
      For Windows 7, Password is getting updated in Adsiedit.msc console, however not working on Windows 7 box.
      
      May I get some troubleshooting tips to solve the same.
      
      one more query is if we change the password from Administrative tools like from lusrmgr.msc console, Will it reflect in tool as well or not.
    • Hello,
      password reported to AD is in sync with real password on admin account as long as no one changes the admin password directly. Direct change of password is not reported to AD. Solution design is that only the solution itself is expected to manage admin password - via automatic reset after it's age expires.
      
      I'm thinking of detection and handling of direct admin password resets, but it may be there in some vNext
      
      Thanks for interest in my solution,
      Jiri
  • OU-Name in Powershell
    4 Posts | Last post April 12, 2015
    • Hi,
      
      would it be possible to change that to the OU DN instead of Name? If one has the same name on more than one OU the script fails.
      Used in Set-AdmPwdComputerSelfPermission -Identity and
       Set-AdmPwdComputerSelfPermission -OrgUnit
      
      Regards
      Norbert
    • I got the same error; ended up having to using the OU distinguished name (ie "ou=computers,OU=company,DC=com") and apply separately for each OU which had the same name; didn't want to apply this on a parent OU as we have sub OUs that dont hold computers
    • Thanks I forgot the quotationmarks. ;)
    • Yes, the cmdlet supports passing identity of OU as DN to avoid duplicates. when duplicate detected, it just lists all duplicates found, so one can choose proper DN and pass it. DN must be enclosed in quotation marks
  • Client Logging
    2 Posts | Last post April 12, 2015
    • Hi,
      
      I would suggest that client logging should be a configurable option via GPO. Can this be added to the admx file?
      
      Regards
      Norbert
    • Hello,
      client logging is designed to be a per-machine setting for troubleshooting purposes, so it's not part of the policy.
      You can create own ADMX file that sets desired logging level, if you need to
      
      Bets regards,
      Jiri
  • Could not write changed password to AD. Error 0x80070010.
    6 Posts | Last post April 08, 2015
    • We have many servers with this solition deployed, but some of them can't report password to AD (in different sites of AD).
    • Hello,
      in this case, client reports error to local Application event log (source of event is AdmPwd). Typically error code reported is 0x80070032, which means "Insufficient privileges".
      What is the error code in your case?
      
      Thanks for using of my solution,
      Jiri
    • Event ID 7
      Could not write changed password to AD. Error 0x80070010.
      
    • Hello, this is error LDAP_NO_SUCH_ATTRIBUTE.
      As other machines work fine, I guess that solution's AD schema update is in place.
      
      Explanation could be that there is RODC in the environment and machine talks to RODC. When attribute is in RODC filtered attribute set and application sends an update, RODC does not respond by referral, but rather returns this error.
      RODC handling is fixed in upcoming version of the solution.
      
      May this be your case? If so, and you're interested in testing of pre-release version, please let me know at admpwd (at) hotmail.com
      
      Thanks for using my solution,
      Jiri
    • I sent message. 
      Strange: some servers in OU with only RODC be able to send updates to attributes
    • Hi Jiri - im also getting the same error from our PCs located in RODC sites. Does the pre-release version RODC solution leave the ms-mcs-admpwd attribute as RODC FAS?, as it would be better security to leave the attribute out of RODCs, thanks
      
      I've emailed you; much appreciated if i can try the RODC fix, thanks
  • Password not working properely
    1 Posts | Last post April 08, 2015
    • I am experiencing an issue , That I did try to use the password which reflecting under Adsi.edit.msc console,it works in first attempt on Windows XP, however when i tried to use it again on next day , it is not working.
      
      
      
      For Windows 7, Password is getting updated in Adsiedit.msc console, however not working on Windows 7 box.
      
      
      
      May I get some troubleshooting tips to solve the same.
      
      
      
      one more query is if we change the password from Administrative tools like from lusrmgr.msc console, Will it reflect in tool as well or not.
      
  • Password not working properely
    1 Posts | Last post April 08, 2015
    • Hi Jiri,
      
      Thanks for your reply on my last post which was as given below and I was able to get out from this via enabling CSE from GPO Settings and providing permissions.
      
      I am experiencing an issue , That I did try to use the password which reflecting under Adsi.edit.msc console,it works in first attempt on Windows XP, however when i tried to use it again on next day , it is not working.
      
      For Windows 7, Password is getting updated in Adsiedit.msc console, however not working on Windows 7 box.
      
      May I get some troubleshooting tips to solve the same.
      
      one more query is if we change the password from Administrative tools like from lusrmgr.msc console, Will it reflect in tool as well or not.
      
  • UI usage question or feedback
    2 Posts | Last post March 11, 2015
    • We would like to know what downsides are of resetting the password daily? 
      Also
      Is it possible when someone does a search for it to automatically do a set for current time plus 24 hours?
      
      John
    • Hello,
      daily password reset shall be aligned with GPO refresh interval - if GPO refresh interval is too slow, password may be active longer than expected. AD traffic is slightly higher, but I do nt considering this to be a problem.
      Your usage scenario needs to support this short password lifetime.
      What is the reason you would want daily password reset?
      
      automatic reset of pasword after read may be possible to be implemented in solution tools. However, one needs to realize that password may be read by other tools s well (dsa.msc, adsiedit,...) when user has permissions, so guarantee cannot be given that eery password read would cuse automatic password reset.
      
      Hope this helps,
      Jiri
  • Missing computer attributes
    2 Posts | Last post March 09, 2015
    • We have setup this in our production environment and are missing ms-mcs-admpwd and ms-mcs-admpwdexpirationtime attributes in our computer accounts.  Could this be due to having a forest and child domain?  I don't see the attributes at either level.
      
    • Sorry I was mistaken.  Replication just took awhile longer than anticipated.
  • AdmPwdReadPasswordPermission -- Object not found
    2 Posts | Last post March 06, 2015
    • After I import the module "Import-module AdmPwd.PS" and try to run the following command, getting error. Please help:
      
      Windows PowerShell
      Copyright (C) 2009 Microsoft Corporation. All rights reserved.
      
      PS C:\Users\a-rnigam.NA> Import-module AdmPwd.PS
      PS C:\Users\a-rnigam.NA> Set-AdmPwdReadPasswordPermission -OrgUnit "OU=XXX,OU=XXX,OU=XXX,DC=XX,DC=XX,DC=XX" -AllowedPrincipals XXXXXXXX
      Set-AdmPwdReadPasswordPermission : Object not found
      At line:1 char:33
      + Set-AdmPwdReadPasswordPermission <<<<  -OrgUnit "OU=XXX,OU=XXX,OU=XXX,DC=XX,DC=XX,DC=XX"
      -AllowedPrincipals XXXXXXXX
          + CategoryInfo          : NotSpecified: (:) [Set-AdmPwdReadPasswordPermission], Exception
          + FullyQualifiedErrorId : System.Exception,AdmPwd.PS.DelegateReadPasswordPermission
      
      PS C:\Users\a-rnigam.NA>
    • Hello,
      this error is typically seen when you run cmdlets that delegate permissions before extending AD schema via Update-AdmPwdADSchema.
      Can this be your case as well?
      
      Thanks,
      Jiri
81 - 90 of 182 Items