none
MS security bulletin MS14-025 ,password still getting applied through GPO

    Question

  • Dear All,

    We used to use group policy for distributing and standardization of local administrator password through GPO,my security team found out its not a best practice since Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege, for this, i applied the below patch on all my DCs 

    https://technet.microsoft.com/library/security/ms14-025

    and i changed the local administrator password  for couple of servers to test if the old GPO password policy gets applied to the server,i found even after changing the local administrator password the password from GPO still gets applied.

    Regards

    JAck.


    TechGUy,System Administrator.

    Monday, January 25, 2016 7:10 AM

Answers

All replies

  • Hi

     Yes,it couldn't used anymore since update ms14-025,you can use LAPS for local admin password set,

    LAPS

    https://www.microsoft.com/en-us/download/details.aspx?id=46899


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, January 25, 2016 7:16 AM
  • Dear Burak,

    I have a third party tool where i can reset the password i bulk,i want to know how do i stop this GPO for applying password gain,i wan in the intention that after applying this patch the GPO will stop distributing the password.

    do i need to remove the group policy?


    TechGUy,System Administrator.

    Monday, January 25, 2016 7:20 AM
  • Hi

     so the gpo is invalid since security update.and you can remove this gpo.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, January 25, 2016 7:26 AM
  • Hi Burak,

    my question is even after applying the security update i see the password is still being applied on the servers,even if i change the password manually the password from GPO is still getting applied,why is that?


    TechGUy,System Administrator.

    Monday, January 25, 2016 7:28 AM
  • Hi

     Check the security update already applied,cause update disabled the password change section.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, January 25, 2016 7:33 AM
  • Hi,
     
    Am 25.01.2016 um 08:10 schrieb ITSysGuy:
     
    This update does not /remove/ cpassword entries from sysvol xml files.
    if it´s still inside, any client/server that has not installed KB2928120
    will still use this item.
     
     Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Monday, January 25, 2016 10:14 PM
  • Dear MArk,

    you mean just by remove the cpassword policy from GPO is not enough i have to remove the xml file manually from all the clients and workstation or else the policy will still apply even thought the GPO is removed from the server?

    if i remove the xml file from the sysvol folder will it remove from all clients PC?


    TechGUy,System Administrator.


    • Edited by ITSysGuy Tuesday, January 26, 2016 4:21 AM more info
    Tuesday, January 26, 2016 4:18 AM
  • My understanding is - applying the security update will not remove CPassword preferences, but manually remove the preferences that contain CPassword data using GPMC on the domain controller or from a client that has Remote Server Administration Tools installed should be able to remove it permanently.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, January 26, 2016 7:10 AM
    Moderator
  • Hi,
     
    Am 26.01.2016 um 05:18 schrieb ITSysGuy:
    > you mean just by remove the cpassword policy from GPO is not enough
     
    No, thats perfect. I thaught, you only update the machine where you use
    GPMC, but leave the GPOs "as is", but:
     
    > if i remove the xml file from the sysvol folder will it remove from all
    > clients PC?
     
    ... if you delete the GPO, the password is still SET.
    GPP are preferences, they are not removable, unless you define the
    action as 'delete'
     
    So in fact, your GPO doe not longer apply, but the origin value is still
    delivered and valid.
     
    If you want to have a new password set on the clients, you need to find
    a way to deploy it, eg LAPS can do it, or a computer startup script with
    a plain text password *eeek* :-)
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Tuesday, January 26, 2016 9:00 AM
  • Am 26.01.2016 um 10:00 schrieb Mark Heitbrink [MVP]:
    > So in fact, your GPO doe not longer apply, but the origin value is still
    > delivered and valid.
     
    Of course, if the password is set manually, it shall not be overwritten.
     
    So, the question is on your test servers, where does it come from?
     
    Is GPO the only place where you define the password?
    Probably there is another tool?
     
    As an idea:
    - download pwdump or a similar tool to get the password hash
    - set the password manually and get the hash
    - run gpupdate and get the hash again, do they match or differ?
     
    If the change is caused by GPO, the hash should differ, otherwise there
    is another tool doing the job of setting password.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Tuesday, January 26, 2016 9:43 AM