none
automatically check for empty password and force local admin to set one on next logon if found empty RRS feed

  • Question

  • Hello everyone,

    first appearance here in the forums - need your help in doing this accurate and secure as possible.

    I am an IT personal in a small department, I estimate our department is supporting no more than 200 stations.

    We have several types of users, one of them is a normal workstation connected to a switch for internet and file sharing, yet those workstations are not joined to a domain/AD, meaning no one really manage those beside the owner.

    The PC is running windows 10 Enterprise, and the owner is basically the default local administrator, the same one you get right after windows 10 finished its installation.

    After installing the Windows, I placed the desired local policy (with secpol.msc) for password length, complexity and so on.

    My problem is, that since the owner is the admin and no one managing its policies from the network, the owner can go to the "my computer -> manage -> users -> and there he/she can leave the password empty or change it to something other than the local policy I pre-set.

    The thing is the owner must stay a local admin and not a normal user.

    My idea was, well I thought about placing a silent script that runs automatically, either on startup or possibly scheduled on the task scheduler,

    This script will "catch" the accounts without passwords

    and if it not too complicated and security compromising, to also look for accounts that has a password that doesn’t matched the policy, length and complexity.

    I know that the owner can also find that background script, yet it is less likely.

    So, I found those two scripts on the forums, that I tried to combine into one, it’s just a suggestion, I am not sure its best:

    one is for "User Must change password at next logon"

    https://social.technet.microsoft.com/Forums/en-US/05b99216-9f92-44c2-959d-9c8e50df7a6d/script-for-quotuser-must-change-password-at-next-logonquot?forum=ITCG

    and second is "How to check if a local user account has a blank password"

    https://gallery.technet.microsoft.com/scriptcenter/How-to-check-if-a-local-870ab031

    (you more than welcome to overwrite the message dialog box - it’s not required, I aim for silent)

    Tried to make it informative as possible yet also short, hope any of you could help me in creating this script accurately and secure.

    Thank you in advance!

    Temp


    Saturday, January 11, 2020 9:11 PM

All replies

  • If you set password required for all accounts in GP then the user will be prompted to enter a password on the next logon. There is no need to script this.

    Take some time to review the documentation on AD and on Windows and network security. You will find that Windows has everything uyou need built in and has since the first version of NT with many enhancements since then.

    If you are responsible in any way for NT security you must review and learn how T is secured and how to maintain that security.


    \_(ツ)_/

    Saturday, January 11, 2020 9:28 PM
  • Note that secpol is the default and it does not do what a GPO can do.  Also a GPO can override the default set by secpol.

    User should NEVER be admins on their workstations.  It will just create issues forever and it is counter to al best practices in Windows.  Systems that get set up that way are because the people setting them and the network are not trained in Windows administration and user administration.  They have likely learned on the job and have had no formal training.


    \_(ツ)_/

    Saturday, January 11, 2020 9:32 PM
  • hi jrl,

    perheps i wasn't clear, out of the 200 stations few are managed by the owner only, fully.

    they are not on the domain and they have full otonomy on their pc.

    i'm responsible for installing anti-virus, and that is also on a volontaric basis.

    my aim is to script a periodic test for catching empty passwords.

    ty

    Saturday, January 11, 2020 10:00 PM
  • You can use the local GP for this and you can use a custom secpol template to set it so it cannot be changed.


    \_(ツ)_/

    Saturday, January 11, 2020 10:07 PM
  • and again ty for the information jrl,

    i have no doubt you could manage the network better than me, thats why i am not managing a network gp, i am supporting stand-alone pc that is jacked to the internet and needs to manipulate the local admins to keep their chosen passwords running and not deside to give up on them.

    if only the built-in (hidden) admin could be mire elevated than the local admin in terms of secpol and passwords as well this could of sort the problem.

    i need everything done on a local bases, think of it as if this pc is offline for that matter - how to force local admin to keep password running in this case without a such script?

    thanks.

    Saturday, January 11, 2020 10:12 PM
  • i already am using a secpol template running, but like i said the owner in our case must stay type admin .

    meanig he/she can temper with it.

    Saturday, January 11, 2020 10:17 PM
  • To check for accounts without required passwor4ds do this:

    Get-WmiObject  Win32_UserAccount -Filter 'PasswordRequired=False'  | select Caption, PasswordRequired

    Change the setting.  Test the account for a blank password and take action.


    \_(ツ)_/

    Saturday, January 11, 2020 10:21 PM
  • i already am using a secpol template running, but like i said the owner in our case must stay type admin .

    meanig he/she can temper with it.

    Owners cannot tamper with the policy. Users should not be admins. The BUILTIN\ADMIN can allow advanced privileges and still retain ownership of policy so that an elevated user can't change the policy.

    Again - you need to learn Windows and how policy and security are designed to work. Just knowing how to apply a template is not enough.


    \_(ツ)_/

    Saturday, January 11, 2020 10:24 PM
  • To check for accounts without required passwor4ds do this:

    Get-WmiObject  Win32_UserAccount -Filter 'PasswordRequired=False'  | select Caption, PasswordRequired

    Change the setting.  Test the account for a blank password and take action.


    \_(ツ)_/

    ok, we getting somewhere now :)

    yet i am not quite sure about what you meant by saying...

    change the setting

    this script is VB fully ready right?

    thank you dearly 


    Saturday, January 11, 2020 10:33 PM
  • To check for accounts without required passwor4ds do this:

    Get-WmiObject  Win32_UserAccount -Filter 'PasswordRequired=False'  | select Caption, PasswordRequired

    Change the setting.  Test the account for a blank password and take action.


    \_(ツ)_/

    hello jrv, your command didn't do what i wanted.

    your reply wasn't that helpful after all.

    I need a script on pwershell one that goes from... stage one:

    check for any user (either user or admin) that doesn't have a password, = empty.

    stage two:

    if found such a user, the script will force that account to change password on next logon.

    if not the script will do nothing.

    as i explained, the pc will run this script  automaticlly with each start. locally and silently.

    as i explained, the owner is also an admin alongside to the built-in admin. locally.

    Generally speaking, if  it mean anything, i don't feel windows 10 is that much secure in the first place, therefor all those security statements don't bother me, and the understanding between the owner and the IT is very clear.

    So,  either you know how to help me construct such a scripting command as I mentioned above, secure=clean and simple code.

    or you on the other hand don't know/want, and in that case, please, i got your over and over mantra and i appreciate your conser, but don't flood this thread with warrnings if you can't be script-wise more concrit and willing.

    Again thank you for your time and effort, much appreciated.

    T

    Thursday, January 16, 2020 3:25 PM
  • hello jrv, your command didn't do what i wanted.

    your reply wasn't that helpful after all.

    I need a script on pwershell one that goes from... stage one:

    check for any user (either user or admin) that doesn't have a password, = empty.

    stage two:

    if found such a user, the script will force that account to change password on next logon.

    if not the script will do nothing.

    as i explained, the pc will run this script  automaticlly with each start. locally and silently.

    as i explained, the owner is also an admin alongside to the built-in admin. locally.

    Generally speaking, if  it mean anything, i don't feel windows 10 is that much secure in the first place, therefor all those security statements don't bother me, and the understanding between the owner and the IT is very clear.

    So,  either you know how to help me construct such a scripting command as I mentioned above, secure=clean and simple code.

    or you on the other hand don't know/want, and in that case, please, i got your over and over mantra and i appreciate your conser, but don't flood this thread with warrnings if you can't be script-wise more concrit and willing.

    Again thank you for your time and effort, much appreciated.

    T

    Thursday, January 16, 2020 3:26 PM
  • You have to get all accounts that are local and test each one for a blank password.  The hint I posted shows you how to get all accounts that require a password.  The results have to be run in a loop and teh password has to be tested for blank.  The Gallery has scripts that will test the password.\

    Please carefully review the following links to set your expectation for posting in technical forums.

    Learning to script properly with PowerShell


    \_(ツ)_/

    Thursday, January 16, 2020 3:38 PM