ICC Home  /  Members  /  Meetings  /  Peer Support  /  Documentation  /  Projects

Local Admin Password Management:
Automated startup script method


Return to IT/SA Services Documentation: Security Tools

Background

A local admin password control process was proposed to the IFAS AD-subcommittee by Chris Hughes back in May of 2005. Due to its lack of universal acceptance and other more pressing issues, that had been placed on the back-burner. Chris has many of the components ready, however, and Steve Lasley is now using this method for his computer within the Entnem OU. Details of that process are documented here.

The Nuts and Bolts

To support this process, a service account is created for each OU which has the proper credentials to access a special web site--where the actual password change is handled. In the case of Entnem, the service account is "IF-SVC-ENTNEMRCPW", which is kept in the UF\Departments\IFAS\Entnem\Service Accounts container along with our other service accounts. The account is made a member of the network admin group, which in this case is ". ifas-admn-entnem". (BTW, service accounts are now included in a service account autogroup [see UF\Groups\DepartmentAutoGroups in ADUC]--these are used in-turn to populate the various departmental autogroups so that the service accounts are included there.).

A private string is also configured for each OU. This string is appended to each changed local admin password and this secret keeps passwords in a particular OU a secret from any other OU Admin who knows the simple "encryption" algorithm. There will eventually be a website where the OU-specific secret can be maintained. Currently it is done by hand during the setup and a change requires a special request to Chris Hughes.

A corresponding ".asp" web page is created--in Entomology's case "http://itsa.ifas.ufl.edu/resetcpw/entnem.asp"--that gets passed a computer name and then changes the password on that machine via a particular algorithm.

A machine startup script is added via GPO. The script which is run is called "browse.vbs" and in the case of Entomology, is located at "\\ad.ufl.edu\NETLOGON\ifas\entnem".

The startup script

Set objNetwork = WScript.CreateObject("WScript.Network")
set shellApp = createobject("shell.application")
set ie = createobject("internetexplorer.application")
ie.navigate "http://itsa.ifas.ufl.edu/resetcpw/ENTNEM.asp?Name=" & objNetwork.ComputerName
ie.visible = true
ie.quit

The algorithm

  • Lowercase the machine name
  • Remove all dashes
  • Increase each character by one ("a becomes "b", "1" becomes "2", etc.)
  • Append the OU specific private string
  • For example: if the machine name is "IF-EYN-CSS" and the secret string is "SeaKr!tt", then the password becomes "jgdzodttSeaKr!tt".

The Process

  • When a machine starts up, the "browse.vbs" script is run, which accesses the web site which does the actual changes to the local admin password of that machine.
  • The script (line 4) passes the machine name to the web site, as in "http://itsa.ifas.ufl.edu/resetcpw/entnem.asp?computername". The anonymous user for the website as set in IIS is the "IF-SVC-ENTNEMRCPW" service account. This makes the page process under those credentials--without prompting.
  • The code on the website then applies the algorithm to the machine name and uses the result to set the password on the local "mradmin" account of that machine. This service account has the proper rights to do that due to its having been made a member of the ". ifas-admn-entnem" group.

Script for generating the passwords from machine names

In the following code, change "SeaKr!tt" to your own private string and save the text as a vbs file to run. 

Name = inputbox("What is the Computer Name?")
Name = lcase(Name)
Length = len(Name)
Dim arrName()
For Counter = 0 to Length -1
        redim Preserve arrName(Counter)
        arrName(Counter) = Mid(Name,Counter+1,1)
Next

For Each OldLetter in arrName
        NewLetter = Convert(OldLetter)
        If NewLetter <> Chr(0) then
                Password = Password & NewLetter
        End If
Next
password = password & "SeaKr!tt"
wscript.echo password

Function Convert(OldLetter)
        ANSICode = asc(OldLetter)
        If (ANSICode > 96 and ANSICode < 122) or (ANSICode > 46 and ANSICode < 57) then
                NewANSICode = ANSICode +1
                Convert = chr(NewANSICode)
        ElseIf ANSICode = 122 then
                        NewANSICode = 97
        ElseIf ANSICode = 57 then
                        NewANSICode = 48
        End If
        Convert = chr(NewANSICode)
End Function

last edited 17 February 2006 by Steve Lasley