How to use Group Policy Preferences to change account Passwords

UPDATE: If you are thinking about doing this… DON’T  this password group policy is not taken advantage of using the MetaSploit tool kit (see https://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp ). I will leave this article on line, but if you have implemented any password via Group Policy Preferences then you seriously need to look at alternatives ASAP.

If you are using the Group Policy Preferences to apply local user account be aware there is a security risk in doing this. In short the passwords are stored in the AD SYSVOL encrypted using AES however the encryption key is well known so this could only be considered obfuscated at best…. More info about this can be read at http://blogs.technet.com/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx

However using Group Policy Preferences to set passwords on local user accounts is still extremely useful and one could argue that not changing the local administrator account password is potentially more of a security issue over time. So if you still want to use this option but want to mitigate the risk in using this feature then here are a few steps that can be taken that will help.

Before you start tell as few as people as possible when you are changing the passwords. This is important as if you tell people when the password is changing they will know when to look for the password stored in the SYSVOL.

Step 1. Change default group policy refresh period to be as short as you dare (see Image 1). The default is 90 minutes but if you can safely crank it down 5 or 10 minutes that would be better. This will speed up the propagation delay of the new password once is configured in the group policy.

image

Image 1. Changing the default group policy refresh

Step 2. Some time during the middle of the day create a new group policy object and configured the the new local user password option (See image 2). then wait for the setting to propagate.

image

Image 2. Configuring the Local Account Password

Step 3. Then you need to wait… How long? The formula i would use for the time to wait is as follows:

Max Active Directory Propagation Delay + Max Group Policy Refresh Interval

Therefore if it take 16 minutes for Group Policy changes to propagate to all DC’s in the domain and you have set group policy refresh to 10 minutes the formula will look like this.

16 minutes + (10 minutes + 2 minutes) = 28 minutes

Note the 2 minutes is to take into account the 20% offset that group policy refresh interval has from the set value.

Step 4. Then one you have waited for the new password setting to rollout DELETE the group policy password setting you configured. This will purge the obfuscated version of the password from the SYSVOL. The reason also I recommend you create and delete a new group policy each time you do this is so the password file is store in a different path in the SYSVOL which is just another way to make it harder for someone to file the password file.

Step 5. You may want to repeat steps 4, 5 and 6 a couple of days apart to ensure that you have applied the setting to all the computers that were not turned on or connected to the network the first time (sounds like a great reason to deploy Direct Access).

Step 6. Finally don’t forget to wind back the default group policy refresh interval to its original value.

Now as we are all good IT Professional it would be best to tell people that the local admin password has changed and will be disseminated securely (NOT via email or IM) when needed. The key is to do it quick and then remove the policy as soon as you are done to have the smallest window of opportunity as possible for someone to grab the password file.

Of course this sound very devious and some could say you are covering your trails by deleting the policy once you are done which is not something you generally want to do as a good IT Professional… But if you are going to do this in a organisation then your are probably going to need to follow change control anyway so you should still have an official record of what you have done.

Alan Burchill

Author: Alan Burchill

Microsoft MVP (Group Policy)

18 thoughts on “How to use Group Policy Preferences to change account Passwords

  1. the idea of deleting the policy once the password has been changed is good. hence removing the chances of someone getting hold of the xml file and playing with it. the thing is that if new pc’s are joined to the domain and / or re installed, these won’t inherit the new password as they won’t find the policy (or the setting) anymore. how “easy” it is to crack the obfuscated password? can ntfs file permissions on this xml file be changed so to leave only the group containing computer accounts to read it?

    thanks,
    Kevin.

    1. Kevin

      Good point. Normally you would set the default admin password as part of the build process in the un-attended build script… (or via SCCM) this would mean the password would be set without the need for GPP… however you would need to ensure that you kept the build password is updated when you change the passwords of the other computers manually…

      Alan

    2. NTFS file permissions are irrelevant unless the drive is encrypted. If the drive in not encrypted, then one can just use a live boot distro of linux and remove any permissions settings from any/all files/folders on the drive.

  2. Normally you would set the default admin password as part of the build process in the un-attended build script… (or via SCCM)

    How do it with SCCM?

    thanks for you article

  3. Great write up, but this only applies to server 08. Is there an option such as this for server 03?

    1. @Carl

      Yes this will apply to Windows Server 2003… You can install the client side extentions via Windows Update and then it will enable this functionality to work.

  4. I have been playing with testing this out but I’m having problems. I know it’s updating the local admin account, not the built-in account. When I enter my password, which is a long password with strong characters, it won’t take it. I can’t even turn off the GPO and update the password from another account to get in?

    1. I found that I had to wait longer than I expected, but why would the Description update and not the password?

  5. This works for me in Win Server 2008. However I was wondering what differences there will be in Server 2003 and 2008 R2. Any information would be appreciated. Thanks in advance.

  6. One of the main purposes to change the built in Administrator password is to keep the password identical on each domain joined client system.
    Be it one installed in a remote location from an OEM machine or one installed from a provided image.
    And especially also on such machines, where a user is local administrator himself and is attempting to change the Administrator account password (or has malware doing this for him).
    So deleting a related group policy is not very useful to keep such systems in current stage.
    An open question is also, how this will act in context with password policies? I know, its for local accounts, but on a domain joined computer I could not alter the expiration settings, remember past passwords etc.
    So assuming, I have configured the last 5 passwords to be remembered, what will happen if a user with local admin rights sets the Administrator password away from the default one (net user Administrator blablabla) and then the policy kicks in to revert the password to the default one?

    Best greetings from Germany
    Olaf

  7. Thanks Alan Burchill, but I tried above mention policy on my domain 2008 to reset local administrator password as well as update local administrator group. It’s updating local admin group but it doesn’t update the password of administrator. Suggest me how to test this policy to work perfectly. I did all as you explain but no luck.

  8. Wow that was strange. I just wrote an really
    long comment bbut after I clicked submit my comment didn’t show
    up. Grrrr… well I’m not writing all that over again. Anyway, just wqnted to say
    great blog!

  9. My company using win 2008 server , 200 domain user available I am changing some user only changed local administrator password .

    Now I am able to change all user local admin passs through abow mentiond procedure ..

    kindly help me

  10. Hi
    I want to deactivate administrator accounts of clients in domain by group policy console.please guide me if you know any way to do that.
    thanks alot

Leave a Reply