Back in may 2014, Microsoft released a patch to fix a vulnerability in Group Policy Preferences which left many people without a method for changing local account passwords. Happily, they also provided a powershell script to allow sys admins to do this.
Whilst the script works, it isn’t very elegant or user friendly, indeed one of my clients was struggling with managing passwords through the script and had actually altered the script to ‘hardcode’ a simple password, resulting in a reduction in security. All of their systems now had the same simple password which had been transmitted in clear text over the network.
This drove me to wrap Microsoft’s script in another powereshell script, with a simple GUI in a bid to make the whole process more manageable.
Now to run these scripts, you will need WINRM Enabled, this is enabled on Server 2012 by default, but NOT on the client OS.
T0 enable it on client machines, create a Group Policy Object that targets the workstation that you want to enable the WinRM (see http://www.grouppolicy.biz/2014/05/enable-winrm-via-group-policy/ as an example
Now we have enabled WinRM, our scripts should work as planned.
You can either download the Microsoft script from https://support.microsoft.com/en-us/kb/2962486 or use the version bundled with my script here:
Unzip to a folder somewhere and run the PasswordToolV2.ps1 script (You will most likely be prompted to allow execution as this is unsigned). The following screen will be displayed:
My client found they were using the Decrypt function more often than the change password function, hence the dialog defaults to the decrypt screen. For now, click on the Encrypt tab
There are several things to note here.
The status bar is telling us there is no Settings file – any details entered in the following fields can be saved to a settings file and will be automatically loaded on the next run if found in the same path as the script:
- Account Names
- Password Length
- Path to Invoke-PasswordRoll Script
- Working Directory
- Target OU
You will need to fill in the seed value (Remember this, you will need it to decrypt passwords later), the account names you wish to change, for example ‘Administrator’, the password length (here I am using 8, but I would recommend using at least 16 if you are serious about security)
Path to Invoke-PasswordRoll Script should be the path to the script downloaded from Microsoft or in the zip file from myself
Working Directory is usually the same directory, but can be different if you so wish.
As you would expect, the Browse buttons allow you to browse to the folders required, and the Connect.. button will display a list of OUs in your AD structure in the box on the right like so:
Selecting the OU you are interested in will populate the target OU box as shown.
When Executed, this OU will be recursively parsed for computers, this will be then saved to a text file in the working dir called ‘clients’ which will contain a list of all the computers found under the OU selected. Progress will be displayed in the status bar and progress bar.
The script will look for a credentials.tsv file, (this is created when we change the passwords on systems) and if it exists will parse machines who’s accounts have already been changed – the remaining machines will be stored in a file called ‘targets-online’. This file is passed to the Invoke-PasswordRoll.ps1 script together with your seed value and account names.
The Invoke-PasswordRoll script will parse the file, changing the password on each system to a random password of a length you chose, and will store the password in encrypted format in a file called ‘credentials.tsv’. The password in this file is at this point not human readable – this is where the ‘Decrypt’ Tab comes into play.
Click on the Load button to load the credentials.tsv file we created earlier.:
As you can see, the encrypted password is a huge string of seemingly random characters, to decrypt this to something we can use we need to enter the seed key we used earlier into the enter key text box, select the Encrypted password in the list we want to decrypt, and click on decrypt. If all has gone well, you will see something similar to this:
Obviously, many of you may have many hundreds if not thousands of systems, which is why there is a search box included at the top right, Im hoping this is pretty self explanatory 🙂
Hopefully this will help you ease the pain of routinely changing and managing local machine passwords. Please feel free to leave comments below – I’m not claiming to be a competent Powershell expert, and I welcome any tips for improvement!
I suggest you create a small OU with one or two machines in to test this out on and to get yourselves familiar with the script. I have tried to make it as foolproof as possible but there is always room for improvement!