Saw something pointed out today about the security implications by one of the GPO MVPs that you might want to consider....
http://blogs.technet.com/b/grouppolicy/archive/2008/08/04/passwords-in-group-policy-preferences.aspx From: David Lum [mailto:david....@nwea.org] Sent: Thursday, January 05, 2012 2:55 PM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Right! Two months ago one of the SE's here was saying we need to upgrade to 2008 DC's to manage Win7/2K8 systems...and was surprised when I told him the same thing you just said :) "RSAT dude" Dave From: James Hill [mailto:falc...@gmail.com]<mailto:[mailto:falc...@gmail.com]> Sent: Thursday, January 05, 2012 2:19 PM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts That's one of the great things about GPP. It came with Server 2008 but with the CSE's you just need a Vista/Win7 machine to manage them. No need to upgrade everything. From: David Lum [mailto:david....@nwea.org]<mailto:[mailto:david....@nwea.org]> Sent: Friday, 6 January 2012 3:12 AM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Damn...you guys make me look good, that was it! Just approved me a non-critical update in WSUS to take care of that on my servers...:) Dave From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]> Sent: Thursday, January 05, 2012 8:31 AM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts The 2003 servers don't have the latest updates for GPP installed would be my bet. From: David Lum [mailto:david....@nwea.org]<mailto:[mailto:david....@nwea.org]> Sent: Thursday, January 05, 2012 11:30 AM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Any reason this wouldn't work with 2003 servers? The don't seem to be picking it up. W2K8 is no problemo... I copied the GPO we use that works on XP/Win7 and modified it to point to the added account and server OU only, no WMI filtering is on. From: James Hill [mailto:falc...@gmail.com]<mailto:[mailto:falc...@gmail.com]> Sent: Wednesday, January 04, 2012 12:25 PM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts There certainly is (with GPP). It can be used to create, update or delete local users Computer Configuration/Preferences/Control Panel Settings/Local Users and Groups Create a new Local User and fill in the details:- [cid:image001.png@01CCCBCC.C9718A10] This is a great GPP to do a domain wide change of the local Admin password as well. Very handy when you have an IT staff member resign who knows the local admin password. James. From: David Lum [mailto:david....@nwea.org]<mailto:[mailto:david....@nwea.org]> Sent: Thursday, 5 January 2012 4:14 AM To: NT System Admin Issues Subject: GPO reset of local non-builtin accounts Is there a way to GPO a password change of added-in local machine accounts if the account is the same across all systems? I can do it easily enough with the BuiltIn ones, but see no GPO way to do added ones. David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
<<inline: image001.png>>
