RE: Password Management with Services

From: Sergey V. Gordeychik (gordey_at_infosec.ru)
Date: 05/14/04

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #189" 
    Date: Fri, 14 May 2004 09:24:28 +0400
To: "Adil Absar" <saiyedadilabsar@hotmail.com>, <focus-ms@securityfocus.com>

    >From: Adil Absar [mailto:saiyedadilabsar@hotmail.com]
    >Question is when the passowrd is changed on the account as per policy,
    how
    >to update all the users workstations of the change without giving an
    >application group administrator access to users workstations?

    1. You can change permissions on service to give group of user full
    control on application service. This can be done via security template
    and secedit.exe or Group Policy (See Security Templates, Security
    Configuration and Analysis etc...).

    http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?
    url=/windowsxp/home/using/productdoc/en/sys_srv_permissions.asp

    OR/AND

    2. Periodically change password with following script.
    I use it to change password on domain account and service account of SQL
    services in domain.

    Format of services.txt file is:

    Dom\sqlsrv1
    SqlSrv\MSSQLSERVER
    <CR>
    Dom\sqlsrv2
    Cluster0\MSSQLSERVER
    Cluster1\MSSQLSERVER

    <CR> is \r\n.
    This config will change password for Dom\sqlsrv1 user account and
    MSSQLSERVER service on SqlSrv. After it change Dom\sqlsrv2 password and
    password for service MSSQLSERVER on Cluster0 and Cluster1 boxes.

    Detailed link (on Russian):
    http://www.osp.ru/win2000/2003/07/056.htm

    Script source:
    http://www.osp.ru/win2000/2003/07/056_1v.htm

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #189"

    Relevant Pages

    • Re: Domain users unable to change password
      ... are not configured to not allow user to change password in account ... I can't think of a Group Policy setting offhand but if you have a Windows ... 2003 domain controller try running the Resultant Set of Policy mmc snapin in ... connectivity, replication, and secure channel/computer account integrity. ...
      (microsoft.public.windows.group_policy)
    • Re: password auto request
      ... check user must change password at next logon to have them configured to use new ... Keep in mind that domain account/password policy can only be configured at ... > each account in the AD? ...
      (microsoft.public.win2000.security)
    • Re: cannot change my password even as Administrator
      ... Run the command net accounts and net user username on your computer using ... info for your user account to make sure it is older than that time period. ... Also check to make sure that user can change password is yes for your user ... Policy to change password policy settings. ...
      (microsoft.public.windowsxp.security_admin)
    • Password Management with Services
      ... users workstations with an account and password specified for access to the ... Question is when the passowrd is changed on the account as per policy, ... application group administrator access to users workstations? ...
      (Focus-Microsoft)
    • Re: Password policy
      ... I wan't to force them to change password every 60 days. ... If possible I would like to keep the administrator out of this policy (don't wan't to change administrator password that offten). ... If there is an account to protect, ...
      (microsoft.public.windows.server.sbs)