Re: GPO reset of local non-builtin accounts

On Fri, Jan 6, 2012 at 6:56 PM, Crawford, Scott wrote: > I think so.  I've done it on several occasions and not run into issues. Cool. Good to know. :) If it causes trouble, I'll just blame you. ;-) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~

RE: GPO reset of local non-builtin accounts

can change the perms under the Delegations tab instead of directly on the policy folder. -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Friday, January 06, 2012 4:39 PM To: NT System Admin Issues Subject: Re: GPO reset of local non-builtin accounts On Fri, Jan 6,

Re: GPO reset of local non-builtin accounts

On Fri, Jan 6, 2012 at 5:08 PM, Crawford, Scott wrote: > One thing that might be satisfactory is to restrict access on > the GPO to Domain Computers (or some subset) instead > of Authenticated Users or Domain Users. Is that, for lack of a better word, "safe"? In other words, is it likely to ca

RE: GPO reset of local non-builtin accounts

asily impersonate that computer, but hopefully that will be fairly limited. -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Friday, January 06, 2012 2:56 PM To: NT System Admin Issues Subject: Re: GPO reset of local non-builtin accounts On Fri, Jan 6, 2012 at 9:

Re: GPO reset of local non-builtin accounts

On Fri, Jan 6, 2012 at 9:31 AM, David Lum wrote: > A casual user won’t be perusing Sysvol, and they’ll be > even less casual if they can figure out how to get at the password. The problem is, this is an obvious target, since it's a facility in the world's most common operating system. I'm sure

RE: GPO reset of local non-builtin accounts

[mailto:mr...@ephrataschools.org] Sent: Friday, January 06, 2012 8:50 AM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Please educate me: Why do you want to have a local account? What's the benefit? --Matt Ross Ephrata School District - Original Message -

RE: GPO reset of local non-builtin accounts

06:31:13 -0800 Subject: RE: GPO reset of local non-builtin accounts > Damn...and I used to be cool, for a day. How big is this risk in reality? A > casual user won't be perusing Sysvol, and they'll be even less casual if > they can figure out how to get at the password. I, for o

RE: GPO reset of local non-builtin accounts

ailto:r...@pge.com] Sent: Thursday, January 05, 2012 5:24 PM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Saw something pointed out today about the security implications by one of the GPO MVPs that you might want to consider http://blogs.technet.com/b/grouppolicy/

RE: GPO reset of local non-builtin accounts

CISSP,Security +,Network+ Subject: Re: GPO reset of local non-builtin accounts From: cato.rob...@gmail.com Date: Thu, 5 Jan 2012 11:53:28 -0500 To: ntsysadmin@lyris.sunbelt-software.com The SID is the same for the built-in local administrator account, even if it is renamed. It is best

RE: GPO reset of local non-builtin accounts

05, 2012 2:55 PM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Right! Two months ago one of the SE's here was saying we need to upgrade to 2008 DC's to manage Win7/2K8 systems...and was surprised when I told him the same thing you just said :) "R

RE: GPO reset of local non-builtin accounts

Somehow, even contemplating managing my enterprise's GPOs from a Vista machine just makes me feel kind of dirty. :-] From: James Hill [mailto:falc...@gmail.com] Sent: Thursday, January 05, 2012 2:19 PM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts That

RE: GPO reset of local non-builtin accounts

2012 2:19 PM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts That's one of the great things about GPP. It came with Server 2008 but with the CSE's you just need a Vista/Win7 machine to manage them. No need to upgrade everything. From: David Lum [mai

RE: GPO reset of local non-builtin accounts

AM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts The 2003 servers don't have the latest updates for GPP installed would be my bet. From: David Lum [mailto:david@nwea.org] Sent: Thursday, January 05, 2012 11:30 AM To: NT System Admin Issues Subject: R

RE: GPO reset of local non-builtin accounts

local non-builtin accounts The 2003 servers don't have the latest updates for GPP installed would be my bet. From: David Lum [mailto:david@nwea.org]<mailto:[mailto:david@nwea.org]> Sent: Thursday, January 05, 2012 11:30 AM To: NT System Admin Issues Subject: RE: GPO reset o

Re: GPO reset of local non-builtin accounts

2012 8:18 AM > > > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin accounts > > > Good suggestion. Questions: > 1. If you need to log on locally and the domain is unavailable (it happens), > how do you log in? > > 2. Isn’t it best p

Re: GPO reset of local non-builtin accounts

NT System Admin Issues > *Subject:* RE: GPO reset of local non-builtin accounts > > ** ** > > There certainly is (with GPP). It can be used to create, update or delete > local users > > ** ** > > Computer Configuration/Preferences/Control Panel Settings/Local

Re: GPO reset of local non-builtin accounts

he GPO we use that works on XP/Win7 and modified it to point to > the added account and server OU only, no WMI filtering is on. > > ** ** > > *From:* James Hill [mailto:falc...@gmail.com] > *Sent:* Wednesday, January 04, 2012 12:25 PM > > *To:* NT System Admin Issu

RE: GPO reset of local non-builtin accounts

The 2003 servers don't have the latest updates for GPP installed would be my bet. From: David Lum [mailto:david@nwea.org] Sent: Thursday, January 05, 2012 11:30 AM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Any reason this wouldn't work with 20

RE: GPO reset of local non-builtin accounts

.com] Sent: Wednesday, January 04, 2012 12:25 PM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts There certainly is (with GPP). It can be used to create, update or delete local users Computer Configuration/Preferences/Control Panel Settings/Local Users and Groups

RE: GPO reset of local non-builtin accounts

2012 8:18 AM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Good suggestion. Questions: 1. If you need to log on locally and the domain is unavailable (it happens), how do you log in? 2. Isn't it best practice to disable the builtin admin account and use a ne

Re: GPO reset of local non-builtin accounts

8 AM > > *To:* NT System Admin Issues > *Subject:* RE: GPO reset of local non-builtin accounts > > ** ** > > Good suggestion. Questions: > 1. If you need to log on locally and the domain is unavailable (it > happens), how do you log in? > > 2. Isn’t it best prac

RE: GPO reset of local non-builtin accounts

:jcas...@activenetwerx.com] Sent: Thursday, January 05, 2012 6:44 AM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Computer Config / Preferences / Control Panel Settings / Local Users and groups I modify and set my local accounts on wksts this way... From: David Lum [mailto:

RE: GPO reset of local non-builtin accounts

Computer Config / Preferences / Control Panel Settings / Local Users and groups I modify and set my local accounts on wksts this way... From: David Lum [mailto:david@nwea.org] Sent: Wednesday, January 04, 2012 11:14 AM To: NT System Admin Issues Subject: GPO reset of local non-builtin account

RE: GPO reset of local non-builtin accounts

david@nwea.org] Sent: Thursday, 5 January 2012 8:18 AM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Good suggestion. Questions: 1. If you need to log on locally and the domain is unavailable (it happens), how do you log in? 2. Isn't it best practice to d

RE: GPO reset of local non-builtin accounts

can't remember from where). Dave From: ed ziots [mailto:ezi...@hotmail.com] Sent: Wednesday, January 04, 2012 1:37 PM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts You can use cusrmgr.exe from the Windows 2000 Resource kit tools to script out the GPO change

RE: GPO reset of local non-builtin accounts

groups. HTH, Sincerely, EZ Edward E. Ziots Senior Informational Security Engineer CISSP,Security +,Network+ > From: kennedy...@elyriaschools.org > To: ntsysadmin@lyris.sunbelt-software.com > Date: Wed, 4 Jan 2012 13:39:08 -0500 > Subject: RE: GPO reset of local non-buil

RE: GPO reset of local non-builtin accounts

There certainly is (with GPP). It can be used to create, update or delete local users Computer Configuration/Preferences/Control Panel Settings/Local Users and Groups Create a new Local User and fill in the details:- This is a great GPP to do a domain wide change of the local Admin p

Re: GPO reset of local non-builtin accounts

On Wed, Jan 4, 2012 at 1:39 PM, Kennedy, Jim wrote: >> net user localuser n3wP@ssw0rd > > Then convert it to an exe or encrypt it to help keep prying eyes out of it. Do note that such solutions only obfuscate the password. The conversion has to be able to reverse the cipher to give the passwor

RE: GPO reset of local non-builtin accounts

: GPO reset of local non-builtin accounts > Ohh..do tell - have a script handy that I can modify? > > From: Michael B. Smith [mailto:mich...@smithcons.com] > Sent: Wednesday, January 04, 2012 10:21 AM > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin acc

RE: GPO reset of local non-builtin accounts

Keep in mind that these scripts will be stored in plain text with readable passwords. From: David Lum [mailto:david@nwea.org] Sent: Wednesday, January 04, 2012 12:28 PM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Ohh..do tell - have a script handy that I

RE: GPO reset of local non-builtin accounts

-builtin accounts > Ohh..do tell - have a script handy that I can modify? > > From: Michael B. Smith [mailto:mich...@smithcons.com] > Sent: Wednesday, January 04, 2012 10:21 AM > To: NT System Admin Issues > Subject: RE: GPO reset of local non-builtin accounts >

RE: GPO reset of local non-builtin accounts

Ohh..do tell - have a script handy that I can modify? From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Wednesday, January 04, 2012 10:21 AM To: NT System Admin Issues Subject: RE: GPO reset of local non-builtin accounts Startup/boot script? Regards, Michael B. Smith Consultant and

RE: GPO reset of local non-builtin accounts

Startup/boot script? Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: David Lum [mailto:david@nwea.org] Sent: Wednesday, January 04, 2012 1:14 PM To: NT System Admin Issues Subject: GPO reset of local non-builtin accounts Is there a way to GPO a pa