Comments on heidelbergit: Unique passwords on local user accounts using VBS ...

Great tip Davey ;-)

2009-12-30T23:05:54.649+01:00

Great tip Davey ;-)

If you set the permissions on the file share sligh...

2009-12-30T18:25:16.931+01:00

If you set the permissions on the file share slightly differently then you can reduce the risk of having someone run as local system and see all the machine passwords.

Set Domain Computers to have the following permissions. (Apply onto This folder only)
Traverse Folder, List folder, Read Attributes, Read Extended Attributes, Create Files, Read Permissions

Set Creator Owner full control Files Only.

Then the computer can create its own file but not read the log from any other machine.

Also if you enable ABE (Access based enumeration) on the share then each machine will only be able to see its own log files.

Helps to increase the security a bit.

Jakob, I really like your approach. I've done ...

2009-07-08T20:42:41.594+02:00

Jakob, I really like your approach. I've done something similar that scrambles the password on every reboot, but logging to a central log file file is a nice touch.

BTW - from my testing, the script works perfectly ...

2009-06-04T21:28:18.169+02:00

BTW - from my testing, the script works perfectly on Windows 7 with UAC enabled - Vista UAC suxx :)

Best regards
Jakob

Hi Derek, I believe it's UAC making trouble -...

2009-06-04T21:18:29.853+02:00

Hi Derek,

I believe it's UAC making trouble - both with the C-root write issue and the PWD set issue...

Please look at this if you have Vista UAC enabled in the environment:

http://www.winhelponline.com/articles/185/1/VBScripts-and-UAC-elevation.html

Please let me know whether that fixes the problem or not.

CYA!
Jakob

This is a great theory for a script, thanks. Alth...

2009-06-04T14:38:13.398+02:00

This is a great theory for a script, thanks. Although I'm having a bit of an issue with it. I have made my modifications to the script regarding the days (changed to 90), the path for local and the path for network. The admpwd.log file gets created, but it never creates the stamp file.

I'm running on Vista, and at first, it gave me an access denied error when trying to create the log files in the root of C. I created a subdirectory in C and got past that.

Here is the error from the admpwd.log -

2009-06-04 08:31:25 [STARTED]
2009-06-04 08:31:25 [VARIABLES - A]
2009-06-04 08:31:25 - intDays : 90
2009-06-04 08:31:25 - strNetShare : '\\server\share\'
2009-06-04 08:31:25 - strLocalLog : 'C:\admin\admpwd.log'
2009-06-04 08:31:25 - strLocalStamp : 'C:\admin\admpwd.stp'
2009-06-04 08:31:25 - strLocalUser : 'zzadmin'
2009-06-04 08:31:25 - strComputer : 'computername'
2009-06-04 08:31:25 - strNetFile : '\\server\shares\computername.log'
2009-06-04 08:31:25 STATUS - No local stamp file, probably first run
2009-06-04 08:31:25 SUCCESS - ALIVE:\\server\share\
2009-06-04 08:31:25 [VARIABLES - B]
2009-06-04 08:31:25 - intPasswordLength: 8
2009-06-04 08:31:25 - intWantNumbers : 1
2009-06-04 08:31:25 - intWantLcase : 1
2009-06-04 08:31:25 - intWantUcase : 1
2009-06-04 08:31:25 SUCCESS - PWD written to: '\\server\share\computername.log'
2009-06-04 08:32:00 FAILURE - PWD NOT SET for 'zzadmin'
2009-06-04 08:32:00 [ABORTED]