Windows 8.1

Security – Local Administrator Password Solution LAPS

Since Windows Server 2008, we can use Group Policy Preferences to set a password for Local Administrator on all workstations in an OU. In May 2014, Microsoft released a patch to remove this feature. KB2962486

In fact, the password was stored insecurely. It was crypted using a key which is now public MSDN. This is a security leak, password are sent in “clear” and several time by day, using GPO application. If KB2928120 is installed on your system, you can’t no more use GPO to define password for:

  • Drive Maps.
  • Local Users.
  • Scheduled Tasks.
  • Services.
  • Data Sources.

With the Security patch, Microsoft provided a Powershell script to change local password remotely.

Since few days, Microsoft released a new tool: Local Administrator Password Solution (LAPS). With this tool, computers are able to randomly change password for local administrator and store it in Active Directory attribute.

Continue reading

Active Directory 2012

Active Directory – Create Fine-grained password

Before Windows Server 2008, there was a limitation about password management: only one password policy and lockout policy could be applied to all users in the domain. Therefore, some organizations created several domains to manage different set of user / password policy.

With Windows Server 2008, Microsoft integrated Fine-Grained password policy. With this object, you can now create multiple password policy in the same domain and assign it to a specific user group. However, there was no built-in GUI to create Fine-Grained policy. We had to use ADSIEdit and Attribute Editor to assign a policy to a user group.

Windows Server 2012 uses Active Directory Administrative Center to give us the possibility to create Fine-Grained policy with a wizard. Let’s see how to do that easier.

Continue reading