Group Policy script protection

[Matt]

We have an environment with 17,000 pc's which we periodically change the
local administrator password with a vbscript using group policy.

Does anyone know a way to hide the new password in the script in case a user
navigates to the policy script file and opens it and reads it?

We have tried the MS script encoder to change the vbs file to vbe but there
is simple code on the internet that enables you to read it anyway.

 

[Alun Jones]

"Matt" <Matt@discussions.microsoft.com> wrote in message
news:1ECD1CA7-B9F7-402D-9928-0939D40E6922@microsoft.com...
> We have an environment with 17,000 pc's which we periodically change the
> local administrator password with a vbscript using group policy.
>
> Does anyone know a way to hide the new password in the script in case a
> user
> navigates to the policy script file and opens it and reads it?
>
> We have tried the MS script encoder to change the vbs file to vbe but
> there
> is simple code on the internet that enables you to read it anyway.

No, there's really no good way to do this. However, rather than doing this
through a pull method, why not push the password change out? Any 'pull'
method is going to require that the machine doing the pulling can read the
password, whether it's in script, or hard-coded into an executable

As a developer, I know the NetUserChangePassword function is what I would
use to do this.

For a script writer, you probably want to do something like the advice
quoted in
http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1015.mspx,
except you really want to use ChangePassword, instead of SetPassword - you
know the old password, which is required by ChangePassword. If you call
SetPassword, you are forcing a password to be set, which has the nasty
side-effect of making your DPAPI-protected information (private keys, etc)
inaccessible.

Alun.
~~~~

 

[Florian Frommherz [MVP]]

Howdie Matt!

Matt schrieb:
> Does anyone know a way to hide the new password in the script in case a user
> navigates to the policy script file and opens it and reads it?

I wouldn't do that locally on the machines. Try using a remote script
that changes the admin passwords on the machines for you:

http://www.frickelsoft.net/blog/?p=59

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.

 

[Roger Abell [MVP]]

Hi,

You have already, with 17,000 boxes, run into the issue of
tracking which machines have old and which new password.

There are alternatives to "enhance" the non-protection of the
trivial uuencoding of the script obsfucator. The main on is
from recognizing that the script used is a startup/shutdown
script that is run as the System account, and so the premissions
on the script in Syslogon needs a grant to Domain Computers,
not to anything that includes Domain Users. With that change
someone needs to first have an execution context that is running
as Local System on their domain joined computer in order to
see that the script is encoded.

Roger

"Matt" <Matt@discussions.microsoft.com> wrote in message
news:1ECD1CA7-B9F7-402D-9928-0939D40E6922@microsoft.com...
> We have an environment with 17,000 pc's which we periodically change the
> local administrator password with a vbscript using group policy.
>
> Does anyone know a way to hide the new password in the script in case a
> user
> navigates to the policy script file and opens it and reads it?
>
> We have tried the MS script encoder to change the vbs file to vbe but
> there
> is simple code on the internet that enables you to read it anyway.