How to use Group Policy Preferences to set change Passwords

Note: You can find this article ( and a whole lot more at my new web site @

If you are using the Group Policy Preferences to apply local user account be aware there is a security risk in doing this. In short the passwords are stored in the AD SYSVOL encrypted using AES however the encryption key is well known so this could only be considered obfuscated at best…. More info about this can be read at
However using Group Policy Preferences to set passwords on local user accounts is still extremely useful and one could argue that not changing the local administrator account password is potentially more of a security issue over time. So if you still want to use this option but want to mitigate the risk in using this feature then here are a few steps that can be taken that will help.
Before you start tell as few as people as possible when you are changing the passwords. This is important as if you tell people when the password is changing they will know when to look for the password stored in the SYSVOL.
Step 1. Change default group policy refresh period to be as short as you dare (see Image 1). The default is 90 minutes but if you can safely crank it down 5 or 10 minutes that would be better. This will speed up the propagation delay of the new password once is configured in the group policy.
Image 1. Changing the default group policy refresh
Step 2. Some time during the middle of the day create a new group policy object and configured the the new local user password option (See image 2). then wait for the setting to propagate.
Image 2. Configuring the Local Account Password
Step 3. Then you need to wait… How long? The formula i would use for the time to wait is as follows:
Max Active Directory Propagation Delay + Max Group Policy Refresh Interval
Therefore if it take 16 minutes for Group Policy changes to propagate to all DC’s in the domain and you have set group policy refresh to 10 minutes the formula will look like this.
16 minutes + (10 minutes + 2 minutes) = 28 minutes
Note the 2 minutes is to take into account the 20% offset that group policy refresh interval has from the set value.
Step 4. Then one you have waited for the new password setting to rollout DELETE the group policy password setting you configured. This will purge the obfuscated version of the password from the SYSVOL. The reason also I recommend you create and delete a new group policy each time you do this is so the password file is store in a different path in the SYSVOL which is just another way to make it harder for someone to file the password file.
Step 5. You may want to repeat steps 4, 5 and 6 a couple of days apart to ensure that you have applied the setting to all the computers that were not turned on or connected to the network the first time (sounds like a great reason to deploy Direct Access).
Step 6. Finally don’t forget to wind back the default group policy refresh interval to its original value.
Now as we are all good IT Professional it would be best to tell people that the local admin password has changed and will be disseminated securely (NOT via email or IM) when needed. The key is to do it quick and then remove the policy as soon as you are done to have the smallest window of opportunity as possible for someone to grab the password file.
Of course this sound very devious and some could say you are covering your trails by deleting the policy once you are done which is not something you generally want to do as a good IT Professional… But if you are going to do this in a organisation then your are probably going to need to follow change control anyway so you should still have an official record of what you have done.
Alan Burchill

How to use Group Policy Preferences to Secure Local Administrator Groups

One problem I keep seeing again and again is that IT administrator seem to never control who is a local administrator of a computer. The problem is that when someone is a local administrator on a computer they have full control and stopping them from doing the wrong thing is very hard and it is even harder to discover who is in the local admin group because you have to query every computer to find this out. So how do you give a user full admin access to a computer but stop them from adding more people to the local admin group on a computer? Use Group Policy Preference of course.

But first a bit of History… Since Group Polices were first introduced with Windows 2000 there was an option called “Restricted Groups” which allows you to control the membership of a group. This option had two modes the “Members” option which I also call the “Iron Fist” option and “Members Of” option which is much more gentler option. The “Members” option removes any groups or users that are not explicitly specified and the “Members Of” option just adds a specific group which out removing any existing groups. The “Members” option was really good at cleaning up those rogue members of the local admin group but its was also really hard to setup as you had to have a new group policy every time you wanted a different list of members in local group on a computer. The “Members Of” option was a lot easier to maintain as you could layer multiple group policies on top of each other but this normally resulted in just adding another layer of group to the pile of groups that were already in the local administrators group. The other problem was the “Members” option would override the “Members Of” option so there was really no way of mixing the two modes.

Well the good news is that Group Policy Preferences has Variables therefore this allows you to be very extremely granular in controlling you local admin group while still having “Iron Fist” control. Muuhhaaaahahahahah!!!

How do I setup a restricted local administrator group?

The following steps will need to be applied pretty much to any computer that you want to use Group Policy Preference to control the local administrator groups. Remember however that you must make sure you don’t have any Group Policy “Restricted Groups” settings applied to your computers as they will always override any group policy preferences settings.

Step 1. Open the Group Policy Management Consol and edit the group policy that is applied to the scope of computers that you want to control.

Step 2. Go to the Computer Configuration > Preferences > Control Panel Settings > Local User and Groups option (see Image 1.).


Image 1. Local User and Group

Step 3. Now click on Actions > New > Local Group

Step 4. Now you will be need to select “Administrators (built-in)” from the group name as this allows you to secure the built-in administrators group even if you have renamed the group to obfuscate the name to enhance security on your computers.

Step 5. Tick both “Delete all member users” and “Delete all member groups”. These two options will automatically remove any users or groups that are not explicitly being added to the group. You only need to do this on item number 1 in the list of settings as that setting will be processed last.

Step 6. Now you will need to make sure you have added back in the Domain Admin’s and Local Administrator groups so that you don’t totally local yourself out of the computer. To do this click the “Add…” button to bring up the “Local Group Member” dialogue box (see Image 2)


Image 2. Local Group Member

Step 7. Now type “BuiltInAdministrators” in the Name field and click OK (see Image 3.)


Image 3. Local Administrators group added to the local administrators group

Step 8. Now as you computer is a domain added machine you should also added the Domain Admin’s group into the local Administrators group as best practice. But this time we are going to use some special Variables to ensure that you always add the correct group. So Click “Add…” again and now click in the “Name:” text field and then press F3. This will now bring up the “Select Variable” dialogue box (See Image 4.). Click on the “DomainName” field and press “Select” and then “OK”. (alternatively you could type %DomainName% in the name field and just press OK.)


Image 4. Selecting the DomainName Variable

You should now see the the following which will now restrict the local administrator group on any computer this policy is applied to only have the Domain Admins and the local Administrator in the local Administrators group on that computer.


Image 5. Basic local administration group setting

SO WHAT? Your right… You can do this already with the “Restricted Groups” Group Policy setting and only having the local Administrator and Domain Admin’s in the local admin group is not not much use unless you are willing to give everyone the local admin password or give them all Domain Admin’s privileges (Like that ever happens) which is a major no no. Well this is where Group Policy Preferences comes to the rescue as you can now create another preference that will merge with the above list of allowed groups which I will go into below.

How to add individuals to a single computer?

Now we are going to go thorough how to add a uniquely named domain group to the local administrators group easily and without the need for setting up multiple group policies. This scenario is very helpful if you want to grant a single user or group to the local administrators group on a single computer but still ensure that no other users or groups are added without explicitly being approved. Say for example the computer name is DESKTOP01 and the domain name is CONTOSO we will then want to add the group “CONTOSODESKTOP01 Administrators” to the local administrator group but we also want the same to happen on DESKTOP02, DESKTOP03 and so on, each with their own uniquely named group based on the computer name.

Step 9. First go back and repeat steps 1 to 6 until you get to the Local Group Member dialogue box (see Image 6.)


Image 6. Add Local Group Member

Step 10. Type “%DomainName%%ComputerName% Administrators” in the Name text field and click “OK”. Now you should see something similar to (Image 7.)


Image 7. Configuration to automatically unique group to local administrators group

Now this will now automatically add a domain group called “DOMAINNAMECOMPUTERNAME Administrators” to the local administrators group on the computer to which the policy is applied.

This group policy setting combined with the other setting made earlier (see Image 5.) will mean that the local administrator group on the computer DESKTOP01 in the CONTOSO domain will have the following members automatically added to the group:

  • CONTOSODomain Admins
  • DESKTOP01Administrators
  • CONTOSODESKTOP01 Administrators

But ANY other users or groups will be automatically removed after the next group policy refresh. This does mean there is a slight window of opportunity for someone to slip in an un-authorised account into the local administrators group but normally this gets cleaned up before they realise what is going on. The great thing about doing this is that the users almost never complain as they realise what they are doing and BIG BROTHER must have been watching them and removed their access.

However the “CONTOSODESKTOP01 Administrators" group will only be added to the local administrators group on the computer DESKTOP01 if that group is already exists. Therefore you do not need to create the group until the need arises to add an individual user or group to just a single computer.

AWSOME!!!! I hear you say… but wait there is more…

How do I add additional broader groups to the local administrators group?

Now that you are able to granuarlly add a single user or group to the local administrators group on a computer you might run into problems id you have more than a 1000 computers due to AD Token Bloat Issues . So to get around this we can setup some more broadly applied administrator groups to the computer that will give admin access to only a subset of computers such as workstations or perhaps only the SQL Servers in your organisation.

Workstations Admin Groups

To apply a Workstation administrators group to the local administrators group on all workstations make sure you have a group policy only targeted to your workstations. This is normally pretty easy as most companies isolate their workstations computer accounts to one (or a select) number of Organisational Unit.

Step 11. Go back and repeat steps 6 and 7 but this time add the group “%DomainName%”Workstations Administrators” in the name field. This will added the additional group “CONTOSOWorkstation Administrators” to the local admin group on all the workstations in your domain which will allow you to easily add all the Desktop Administrators in your organisation access to all the workstations without having to give them the local admin password or domain admin’s privileges.

Server Role Admin Groups

In these steps we are going to automatically added a domain group called “CONTOSOSQL Server Administrators” to all the servers you have that have SQL Server installed on them. This will be very handy to making sure SQL service accounts or database administrators have admin access to all the servers that have Microsoft SQL Server installed

Step 12. First make sure you are editing a group policy that is applied to all your servers in your organisation.

Step 13. Now repeat Step 9 and 10 and then we open the properties of the new policy setting and specify the group but this time we type “%DomainName%SQL Server Administrators” in the name field.

Step 14. Now click on the “Common” tab and then tick “Item Level Targeting” and click the “Targeting…” button.

Step 15. Click on the “New Item” in the menu bar and select the option you want to use to target all the SQL servers in your organisation. This could be an Organisation Unit that has all the computer accounts of all the SQL servers in the organisation OR a security group that has all the SQL Servers computer accounts as members.

But for this example we are going to select the “File Match” option to look in the Program Files folder and see if a sub-folder exists called “Microsoft SQL Servers” (See Image 8). This is normally true for any server that has Microsoft SQL Server installed and so it will then automatically apply the SQL Server Admin group to that server if it was installed.


Image 8. Testing to see if Microsoft SQL Server is installed.

Now any computer that SQL Server, MSDE or SQL Express installed will get the group “CONTOSOSQL Server Administrators” automatically added to the local admin group.

This really nice thing about this is that if SQL is installed on the server at some point in the future the SQL Admin group will be added automatically at the next group policy refresh without you having to do a thing.

Finally now you have tight control of the local administrator groups on all the computers in your domain it is now important to monitor and secure the domain groups that are being added to the local administrator groups as they are now control who has admin access to all your computers. But I will save how to do that for another blog post…

Alan Burchill

First photos / video’s of Zune Marketplace on Xbox 360

Looks like the on demand high def video streaming for an Xbox 360 will be coming to Australia as the guys from Gizmodo Australia got a sneak peak as to what is coming the next Xbox update. The last couple of frames even talked about the Facebook and Twitter integration that is also planned with the release. Mean while check out the screenshots below and the whole video at the bottom. Its going to be so cool to do the same sort of thing on the Zune HD when they also get released in Australia.







Technorati Tags: ,,

Confirmed – Zune HD hardware supports 1080p

In a recent interview with Mike Rayfield (General Manager Mobile Devices, Nvidia) he has mentioned that the up coming Tegra CPU that will be released on a wide range of devices (including the Zund HD) will “decode 720p and 1080p”. This sound like Microsoft may be taking a similar approach to the Zune HD as with the Xbox 360 by disabling the 1080p output on launch but later enable the option via a firmware update.

Take a look a the video starting at 4m:39sec where they start to talk about the processor design.


While this is not a huge difference between 720p and 1080p Microsoft may want to flick that switch sooner rather than later as its just recently come out that the iPhone can handle 1080p video just fine.

Technorati Tags: ,,,

Apple’s iPad “SmartBook” to have Nvidia Tegra Chip? 90% sure

geforce_processors_header I blogged about the reasons why I thought the Tegra chip was coming to the still rumoured Apples iPad / iTablet device on the 21/08/2009 and it seems that I might have been on the money. One of Nvidia’s General Manager’s Mike Rayfield has just recorded a video talking up how the Tegra chip is idea for “media pad” type devices. A quote from the video seems to say it all:

Joshua Topolsky (host) “There’s lot of rumours about apple one of those [Tablet]…”

Mike Rayfield (General Manager Mobile Devices, Nvidia) “Right”

Also notice that the host corrects himself when he accidentally say’s “Netbook” to “SmartBook” which I think is quite interesting as Apple have previously distanced them self from “Netbooks” saying they had no plan’s to make one. So maybe Apple are going to call their new iPad device a “SmartBook” which would make sense as they are also rumoured to be in talks with book publishers for the rights to sell books on their device.

Mike Rayfield (General Manager Mobile Devices, Nvidia)

Below is also quick re-cap of my previous blog as to why I think this will happen:

Hopefully we will also see other Windows Mobile devices come out soon on similar devices as the Windows CE OS reportedly can take excellent advantage of the Chip.

See the whole Video at

Should Microsoft buy Adobe? Heck yeah!

adobe-lqWell now that the dust has settled on the Microsoft / Yahoo deal it seems that Microsoft has now got what they wanted without having to break open the piggy bank. This left me thinking what Steve Ballmer and Microsoft must be about the can do with the money they save with not buying Yahoo. My thoughts… Buy Adobe.

Whoa, I hear you say… Well just stick with me here and I will go through some of the question you must have?

Why would Microsoft buy Adobe? Well Adobe market space is in making very high quality designer/developer products for Apple and Microsoft Operating Systems. Granted that the majority of the higher end of the users of the products are use on OSX but almost every product also has a Windows version which in some cases are even better than the OSX version. If Microsoft were to buy Adobe and do nothing but ensure that all the Adobe products continue to released equally on Windows and OSX then this would eventually lead to people coming back to the Windows platform. People mainly chose to use OSX because of the stereotype that all Windows application are slow and crash a lot. Well with the advent and Windows Vista and now the immanent release of Windows 7 these stereotype’s are truly being blown out of the water. People perception are now changing and now that Windows 7 and OSX 10.6 are going to be very similar in functionality this leaves the only differentiate being the programs that run on the platform. So if you make sure that everything is more or less the same on both platforms then people are naturally going to come back to Windows because its the platform that has the largest choice of devices and software that can be run. Also remember that Microsoft are already the biggest third-party developer of software for the OSX with Microsoft Office so they are not going to just buy the company and then just drop all the OSX development.


Yeah but even a cash cow like Microsoft cant afford Adobe? Nope… As of 24/8/2009 Adobe Systems market capitalisation was $17.24 Billion which compared to the Yahoo buy out offer price of $46 Billion means that Microsoft could buy them out and still have more money in the bank then if the Yahoo deal would have happened. So yes they could definitely afford it.

What’s in it for me? Less hassle. The benefits for the end user would also be fantastic such as being able a bundled a PDF reader with-in Windows. User would no longer would need to download a Adobe Reader when they install Windows on a computer and they could also write it to take advantage of the automatic update service. This would mean consumers would not have to go through the laborious manual update process every 3 months as they try to plus the nasty security holes  recently found in Adobe Reader. Even the non-technical aspect of the merger of the products would be great to be able to have the flexibility to use the file formats such as XPS and DOCX natively with Adobe products as this would allow users of the products to easily share information amongst people and platforms.

What about anti-trust? Well anti-trust in my mind is about leveraging your majority in one space to dominate another space as Microsoft did back in the 90’s to dominate the browser space. But there is nothing that say’s you can’t buy someone that has a majority in one field (in this case desktop publishing) do long as they new company does not already compete in this space and the two companies combined will result in a bigger force in the market that will prevent competition. Now some people would argue that product like Word and Publisher, Expressions Studio and the XML Paper Specification (XPS) are all products that compete with Adobe but these products are either aimed are low end SOHO use or are strictly word processing programs not the high end/professional desktop publishing that Adobe make. Adobe also make a raft of other products that are have no Microsoft version as competition such as Premier and Photoshop. But i do grant that this could be an issues but nothing that Microsoft and its raft of lawyers could not get around even if it meant having to sell off parts of the company to get it over the line.

But Microsoft are just going to re-write the PDF standard? When you compare Apple and Microsoft for their track record on how much they support open specification then Microsoft truly looks open source. Apple’s iPhone is one of the most locked down devices in the world and their hardware devices could not be anymore of a sealed black box with keep out stickers all over them if you tried. But even the once proprietary PDF specification is now open so if Microsoft were to acquire Adobe they could not do anything to the format without industry feedback any way. In any case the other elephant in the room that that will keep Microsoft charging down the open specification track would be Google with up coming products such as Wave, Microsoft will need to stay on the Open Spec band wagon.

I still don’t like it. Well I don’t doubt that a lot of people would object to such a move but a move like this would not only be very good for Microsoft but also the industry at large as it will let people have the functionally they want without all the barriers.

Technorati Tags: ,,

iPod / iPad to use Nvidia Tegra? I think so

appletablet  Nvidia has just posted a news article on their web site promoting the Zune HD will be using their Tegra processor which by now is very common knowledge. However they also said:

“There are 50 active Tegra processor-based design projects currently in the works today.”

geforce_processors_headerSo this has got me thinking that maybe one or two of these 50 up coming devices could be the iPod or even the iPad. The Tegra processor is an ARM processor so it would be relatively easy for Apple to use it in their devices. Plus it would make sense that an iPad device with a 10” screen would need a more powerful graphics processor and at the moment there is no other ARM based processors on the market that also includes a graphics processor. The Tegra is also reportedly to have excellent battery life would also be essential for a tablet based device and Nvidia also has an existing relation with Apple as they use the Geforce 9400 in their Macbooks.

All this makes me think that that it is pretty much a no-brainer that Apple are going to use the Tegra chip in their up coming devices, but i suppose time will tell.

Source: NVIDIA Tegra Provides The Multimedia Muscle In Zune HD

Technorati Tags: ,,,,