No announcement yet.

How can i add local computer users with GPO

  • Filter
  • Time
  • Show
Clear All
new posts

  • How can i add local computer users with GPO


    the sysadmin who worked with me added a local computer user with GPO. every computer in the domain has a local user which is a part of administrators group on the machine.

    I would like to change the password. where do I do that ?


  • #2
    Re: How can i add local computer users with GPO

    In GP:
    Computer Configuration/Preferences/Control Panel Settings/Local Users and Computers

    Please read this before you post:

    Quis custodiet ipsos custodes?


    • #3
      Re: How can i add local computer users with GPO

      Exactly what is your required needs like for eg what I'm able to understand is I had a paragraph typed up about changing the 'pwdLastSet" attribute to trick AD into thinking that the password was recently changed..

      But I think thats what you dont need. Change off password is easy. You can simple go to Windows XP, right click on the My Computer icon and choose Properties. In the dialog box that opens, choose the Advanced tab. There will now be a User Profiles button. Click that and you should be able to choose your user's profile from a list. Click the Copy To button. On the dialog that opens, there's an option to give other people access to log on to a profile. You have to copy it back and forth a couple times and you need to own two user accounts, but you can use this to tweak a user's profile without knowing their password.

      First, copy the other user's profile to the folder your alternate user account would use, taking care to give that account access to log on the profile. Log on with that account and do whatever you want to the profile. Then, log back on with your original account and delete the user's original profile. Now copy the profile changed by your alt account back to it's original location, taking care to give the original user access to the profile again.

      If this is for a new computer setup, where the original user has never logged in, you can do this copying your nicely configured profile over the default profile.

      What the application seems to need is to have the password changed once a password filter has been installed on the domain controller that will send a copy of the password over to the application.

      So - what you're looking for isn't possible. The cryptographic transform used to store an AD password is not reversible; it cannot be retrieved once stored. Tools are available to attack those stored hashes, but they will not reliably retrieve all of your users' passwords (unless they all use weak passwords). The other option is to use the "reversible encryption" mode, which won't do you any good unless it's already enabled.

      Your best bet is to install the password filter so that updates are making it to the application, then modify your group policy password settings to have all your users' passwords to expire in the next week or two.


      • #4
        Re: How can i add local computer users with GPO


        What on earth has all this got to do with a request to change a local account password via GPO?

        As stated, it can be done via Group Policy PREFERENCES, by adapting the article here:
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd

        ** Remember to give credit where credit is due and leave reputation points where appropriate **


        • #5
          Re: How can i add local computer users with GPO

          Oh Sorry for the inconvenience but actually i mis-concepted the question. What occurs the solution i prompted that.