The security bulletin MS14-025 describes that the functionality to store passwords is removed from Group Policy Objects. This is important, if you have installed this update on the machines where you edit your group policy objects. This will be only the first blog about this topic, because various customers of us are currently searching for solutions.
Part 1 – Background Information (This Post)
Part 2 – Solution Overview and installing netECM:MiniWebservice
Part 3 – Creating ConfigMgr Settings Item
Part 4 – Retrieve the passwords with PowerShell
Background
The following Group Policy Preferences will no longer allow user names and passwords to be saved:
- Drive Maps
- Local Users and Groups
- Scheduled Tasks
- Services
- Data Sources
This will affect the behavior of any existing Group Policy Objects (GPOs) in your environment that rely on passwords that are contained in these preferences. It will also prevent creating new Group Policy Preferences by using this functionality.
Important are these changes:
- Password fields in all affected preferences are disabled. Administrators cannot create new preferences by using these password fields.
- The username field is disabled in some preferences.
- Existing preferences that contain a password cannot be updated. They can only be deleted or disabled, as appropriate for the specific preference.
- The behavior for Delete and Disable actions have not changed for the preferences.
- When an administrator opens any preference that contains the CPassword attribute, the administrator receives the following warning dialog box to inform him or her of the recent deprecation. Attempts to save changes to new or existing preferences that require the CPassword attribute will trigger the same dialog box. Only Delete and Disable actions will not trigger warning dialog boxes.
(Source: http://support.microsoft.com/kb/2962486/en-us)
This means you should search for a new way to set passwords on computers for various objects.
Solutions
Microsoft provides some basic scripts to set passwords with remote PowerShell, but these approaches always need the clients to be online. I will try to figure out some better solutions the next few weeks.
There are also various tools available on the market, but I like to do it with free resources and/or built-in functions of ConfigMgr and Windows.
If you already have solutions to manage local user passwords without GPO’s, share your solution on Twitter with @netECM. Thank you!!!
- Microsoft Sentinel ASIM Parser demystified - March 31, 2024
- Enhancing Network Security Insights with IDS/IPS of Ubiquiti Dream Machine Pro and Microsoft Sentinel - March 10, 2024
- Ubiquiti Dream Machine Pro Logs to Microsoft Sentinel - February 6, 2024
4 Comments
Important Feature Change: Password change with GPO’s no longer possible KB2962486/KB2928120/KB2961899 – Part 2 - Workplace Management Blog · February 12, 2016 at 13:08
[…] Part 1 – Background Information […]
Important Feature Change: Password change with GPO’s no longer possible KB2962486/KB2928120/KB2961899 – Part 3 - Workplace Management Blog · February 12, 2016 at 13:10
[…] Part 1 – Background Information […]
Important Feature Change: Password change with GPO’s no longer possible KB2962486/KB2928120/KB2961899 – Part 4 - Workplace Management Blog · February 12, 2016 at 13:12
[…] Part 1 – Background Information […]
Slides and Scripts of my Session at the CMCE CU2 - Workplace Ninja's · April 19, 2021 at 19:48
[…] Password Management […]