Windows 8.1

Security – Local Administrator Password Solution LAPS

Since Windows Server 2008, we can use Group Policy Preferences to set a password for Local Administrator on all workstations in an OU. In May 2014, Microsoft released a patch to remove this feature. KB2962486

In fact, the password was stored insecurely. It was crypted using a key which is now public MSDN. This is a security leak, password are sent in “clear” and several time by day, using GPO application. If KB2928120 is installed on your system, you can’t no more use GPO to define password for:

  • Drive Maps.
  • Local Users.
  • Scheduled Tasks.
  • Services.
  • Data Sources.

With the Security patch, Microsoft provided a Powershell script to change local password remotely.

Since few days, Microsoft released a new tool: Local Administrator Password Solution (LAPS). With this tool, computers are able to randomly change password for local administrator and store it in Active Directory attribute.

Continue reading

WindowsServer

Powershell – Add local Administrator

If you want to add Active Directory user or group to the local administrator group on a computer, you can use Powershell.

User and Group

To add user or group, we can use the cmdlet Invoke-Command associated with net localgroup.

Invoke-Command -ScriptBlock {net Localgroup administrators /add $args[0] } -ArgumentList("LAB\alexandre")

Computer

It is also possible to add a computer account into local Administrator group, you can use the command above but don’t forget to add the $ at the end of computer name.

Invoke-Command -ScriptBlock {net Localgroup administrators /add $args[0] } -ArgumentList("LAB\SRVSCCM$")

More

You can get more informations about net localgroup here.

WindowsServer

Powershell – Change computer description

To continue in Powershell posts, we will see how to change the local description of the server. Not in Active Directory attribute but on the computer itself.

System Description

The local description is set is the WMI of the server. In the class Win32_OperatingSystem. To change it, we need to get the objects, set the new content and save the modification.

$OSWMI=Get-WmiObject -class Win32_OperatingSystem
$OSWMI.Description="My Server"
$OSWMI.put()

Remote

It is possible to modify the description on a remote computer, however, we need to adapt the script if the string is store in a variable.

With the Invoke-Command we add the parameter –ArgumentList, so that our variable content will be available on the execution on the remote host.

$myDescription="My Server"
Invoke-Command -ComputerName $lServerName -ScriptBlock {$OSWMI=Get-WmiObject -class Win32_OperatingSystem;$OSWMI.Description=$args[0];$OSWMI.put() } -ArgumentList($myDescription)

More

You can get more information about Win32_OperatingSystem class here

WindowsServer

Server – Internet Explorer GPO not applied

With Active Directory, you can deploy some Internet Explorer configuration using Group Policy (GPO). But sometime, settings for Internet Explorer are not modified, even if the GPO is correctly applied.

This behavior is not a bug, it’s a feature 🙂 When IE Security is enabled, GPO can’t change configuration for Internet Explorer.
Continue reading