• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Local Admin password management

S

Shambler

Supreme [H]ardness
Joined
Aug 17, 2005
Messages
6,419
I've recently switched jobs and at this new company, there is no standard or management policy for local admin passwords.
I'm trying to change that and wanted to get some ideas from [H].

So, Networking & Security crew, how do you management Local Admin passwords?
 
we don't "manage" them, per se.
That password hardly ever changes.
It's changed once in the almost 5 yrs I've been here.

To change it on all the machines, though, we used Hyena.
 
I have been doing a lot CyberArk and Quest(DELL) TPAM implementations for clients over the past two years.

But depending on the size of your company that may not be feasible.
 
Group policy that runs a batch script containing "NET USER administrator %1" the GPO passes a parameter to the script containing the password to be set.
 
You want admin account names and passwords that are unique to each machine. You want them to be easy for a human to remember but difficult for malware to figure out.

For example, you might have a local admin account of admin_%computername% with a password of pwd_%computername%_%year%. Easy for a human; hugely difficult for malware.
 
And your can push the Local Admin password via GPO also so you don't have to expose things via scripts
 
We use Symantec Altiris. It generates a new local admin account on the systems every few hours, then we use a webgui to pull down the password when we need it.

...But we're ginormous and can kill the Alitris server with client volume like it's np.
 
We used Keepass for all our passwords in my last place
 
Last edited:
Company I work for just gives everyone Admin right, so it doesn't matter.

But local admin account is part of the base image, and does not change with any regularity.
 
thedocta45 said:
Company I work for just gives everyone Admin right, so it doesn't matter.

But local admin account is part of the base image, and does not change with any regularity.
Click to expand...

On your local PC or on the Servers?

My company allows everyone to run their own image and join the domain, but I do not have domain admin privileges nor do we have any access to servers.
 
push a group called "local admins" to administrator group via gpo to all domain machines. If it's a workgroup setup do it with psexec \\computername net user administrator password or with powershell

$strcomputers = Get-Content c:\servers.txt
foreach ($strcomputer in $strcomputers) {
$admin=[adsi]("WinNT://" + $strComputer + "/administrator, user")
$admin.psbase.invoke("SetPassword", "Whatever1")
}

put a list of computers in C:\scripts\servers.txt save the above as a .ps1. Open powershell and C:\scripts\changepassword.ps1 > output.txt should give you a confirmed for each pc.
 
/usr/home said:
:eek:

Wow. Why??
Click to expand...

That's a very good question.

From my understanding its because HP who manages our IT said that was how to do it, and because no one worked for the IT department at the time it was accepted.

As for server access, I am not sure, but I would assume from my experience that servers are more tightly regulated.

Its a nightmare, we had a depot that was running their inventory software on a 12 year old shareware program, and then it crashed.

When we attempted to recover the database, we looked to contact the company only to find they had been out of business for 8 years.
 
You must log in or register to reply here.
Back
Top