The security bulletin MS14-025 describes that the functionality to store passwords is removed from Group Policy Objects. This is important, if you have installed this update on the machines where you edit your group policy objects. This will be only the first blog about this topic, because various customers of us are currently searching for solutions.
Part 1 – Background Information (This Post)
Part 2 – Solution Overview and installing netECM:MiniWebservice
Part 3 – Creating ConfigMgr Settings Item
Part 4 – Retrieve the passwords with PowerShell
The following Group Policy Preferences will no longer allow user names and passwords to be saved:
- Drive Maps
- Local Users and Groups
- Scheduled Tasks
- Data Sources
This will affect the behavior of any existing Group Policy Objects (GPOs) in your environment that rely on passwords that are contained in these preferences. It will also prevent creating new Group Policy Preferences by using this functionality.
Important are these changes:
- Password fields in all affected preferences are disabled. Administrators cannot create new preferences by using these password fields.
- The username field is disabled in some preferences.
- Existing preferences that contain a password cannot be updated. They can only be deleted or disabled, as appropriate for the specific preference.
- The behavior for Delete and Disable actions have not changed for the preferences.
- When an administrator opens any preference that contains the CPassword attribute, the administrator receives the following warning dialog box to inform him or her of the recent deprecation. Attempts to save changes to new or existing preferences that require the CPassword attribute will trigger the same dialog box. Only Delete and Disable actions will not trigger warning dialog boxes.
This means you should search for a new way to set passwords on computers for various objects.
Microsoft provides some basic scripts to set passwords with remote PowerShell, but these approaches always need the clients to be online. I will try to figure out some better solutions the next few weeks.
There are also various tools available on the market, but I like to do it with free resources and/or built-in functions of ConfigMgr and Windows.
If you already have solutions to manage local user passwords without GPO’s, share your solution on Twitter with @netECM. Thank you!!!