No announcement yet.

Machine Account Password Question

  • Filter
  • Time
  • Show
Clear All
new posts

  • Machine Account Password Question

    We want to setup a server with VMware and create virtual machines (guest OS = XP). We'd put the virtual machine on the domain, then we'd take a snapshot of that it. Each night, we'd revert to the snapshot, erasing any changes the user has made (e.g. software installed, desktop background set, etc.).

    I'm concerned that access to network resources will be disrupted in this scenario because each night, when we revert to the snapshot, we'll be reverting to the machine account password value as it was when the snapshot was taken.

    Can anyone confirm or refute that? What solutions have you implemented to "undo" user modifications to your systems?


  • #2
    Re: Machine Account Password Question

    Have you considered using mandatory profiles?

    To ensure a user hasn't installed software, make sure they are not a local administrator or power user. If they require ot be a local administrator for programs, set NTFS permisisions to Modify permission on the folder(s) of the program.

    If you want to take it one step further, depending on your programs being used, you could create a software restriction policy and only allow specific programs to run using a path or hash value. This can be done on a domain AD policy of local XP policy. gpedit.msc on XP will show you possible templates you can apply to users and the computer. GPMC in w2k, 2k3 and 2k8.
    Last edited by Virtual; 18th February 2009, 18:00.


    • #3
      Re: Machine Account Password Question

      This is probably a better solution:


      • #4
        Re: Machine Account Password Question

        Originally posted by joeqwerty View Post
        This is probably a better solution:
        Of course, I have heard of that before.

        Will Steady State still allow windows updates, software updates and Group Policy changes etc. Considered using it but not entirely knowledgeable of the product.


        • #5
          Re: Machine Account Password Question

          Actually, we're currently using Windows Shared Computer Tool Kit (WSKTK) with Disk Protect. SteadyState (with Disk Protect) replaced WSKTK. You cannot use SteadyState without SP3.

          We're in the early stages of evaluating SteadyState. One roadblock to using it is the apparent lack of CLI to it. With the current version of Disk Protect, you can run the .wsf file with switches like /restart and /save. So far, we haven't found a way to do the same with the SteadyState version of Disk Protect.

          So we're considering a software restriction GPO to limit what programs can be run. I don't have any experience with that though. Is it difficult to implement? Can I just specify C:\Program Files\Internet Explorer\iexplore.exe and call it good? I'm concerned that there may be applications with other "stuff" that'd cause problems. Can anyone speak to that?


          • #6
            Re: Machine Account Password Question

            There are up to four ways for restricting or allowing software to run.

            Internet Zone
            Path Rule

            You have the choice of setting each rule as unrestricted or disallowed.

            The same unrestricted or disallowed rule can be set as default, so you could give unrestricted access to the XP machine and then set rules to disallow certain software or set it to disallowed and then create rules for all software that you wish to grant users unrestricted access to.

            Also, 4 rules already exist for windows system files, so the OS should't be effected.

            It depends how often your environment and software build changes with regards to time to setup.

            Personally, I have tended to use a hash rule and disallow software just for that software. That way, even if a user renames the .exe or other associated program file, it will remain disallowed. I worked in a 2000 user network for a school. We didn't disallow by default, as there was just too much software. We used hash rules to ban games being played and other software as we discovered it, that shouldn't be used. It was useful to also stop a trojan or other malicious software from spreading and running.

            The path rule is useful, to quickly allow a considerable number of programs to run, or not run from the specified path. It is less administrative effort.

            You could disallow all software as default and then create hash or path rules for the software permitted to run. I am not familiar with the certificate side of rules and have never used it to restrict software.

            Hash rules work providing the software does not receive an update to it's exe or program file. If so, you wil need to re-create the hash rule.

            The path rule will not change but of course there is the danger that software then installed, should it happen, will then be able to freely run. The same applies to anything that copies itself to that location.


            • #7
              Re: Machine Account Password Question

              Interesting. I hadn't considered that updating software (Internet Explorer for example) would change its hash. I guess our best option would really be to disallow everything and setup path rules to allow the software we want.


              • #8
                Re: Machine Account Password Question

                It's worth testing to find out. You only apply the hash file to the main program file, so providing that isn't changed, you should be ok.