Re: local admin passwords

From: Laura A. Robinson (
Date: 08/06/02

From: "Laura A. Robinson" <>
To: <>, <>, <>
Date: Tue, 6 Aug 2002 03:24:58 -0400

Or better yet, do all that and then lock out all the admin accounts via
passprop. They can then only be used for local logon, and these accounts
really shouldn't be used, anyway.

----- Original Message -----
From: <>
To: <>; <>
Sent: Thursday, August 01, 2002 9:53 PM
Subject: RE: local admin passwords

> Ah yes, the local admin password conundrum. There is no totally secure
> method to change local admin passwords as they all need the "net user"
> command which will change them with clear test over the wire. Other than
> that 'small' problem, you can use one of many commercial tools available
> just write a script to do it. I would recommend against using the same
> password on all systems as they will need to be changed every time someone
> leaves the org. Use an encrypted database with a app/web front end that
> scripts the whole operation. Only give out passwords on an as needed
> then script in a change after, say 24 hours, to set it to some complex,
> preferably 15 character password (not L0pht-crackable). Also, enforce
> password policy elements like 45 day changes. Remember to keep a couple
> passwords in the database history for users that may be logging in with
> cached credentials and cannot connect to the network for an extended
> Of course, a Linux boot disk negates all this work, but this is the best
> I've come up with for an enterprise local admin password solution. Good
> luck!
> Fred Langston
> Principal Consultant
> W: 206.903.8147 x223 F: 206.903.1862 M: 425.765.3330
> Seattle, WA
> ________________________________________
> G U A R D E N T
> Enterprise Security and Privacy Programs
> -----Original Message-----
> From: Michael G. Greene []
> Sent: Thursday, August 01, 2002 9:16 AM
> To:
> Subject: local admin passwords
> Hello everyone. Well, I have given up resolving this issue on my own
> and am seeking the minds of experts. Is there a SECURE, enterprise
> method of regularly changing local admin passwords? By enterprise
> method I mean to change the local admin password, on a regularly
> scheduled interval, for every server and workstation machine, with a
> scope capable of dealing with 1000+ machines. Of course, the passwords
> should each change to a common string.
> Thanks
> Michael