Hello,
is there a clean way to change the local administrator password on a machine using WAPT?
By "clean," I mean that the password won't end up on the machine after the operation (I know how to do it with a PowerShell script, but if the package containing the script remains on the machine... that doesn't seem like a good idea).
Yes, I know it can be done with GPOs, but in my case, it's not suitable (explaining why here would be tedious and rather pointless).
Thanks in advance
[SOLVED] Clean way to exchange local passwords with WAPT?
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Good morning,
Whether it's a Powershell/Batch/VBS/Kix script or a WAPT package, from a security point of view the solution is not viable since the password will have to be transmitted in plain text at some point.
It's convenient in the moment to regain control of a machine where WAPT is installed, but detrimental if someone stumbles upon the package contents in your repository.
ANSSI recommends using LAPS so that local passwords are dynamically stored in Active Directory and are unique for each machine:
Alexander
PS: To those who might be tempted to recommend CPAU, I invite you to read this post which details how trivial it is to decrypt a file generated by CPAU (expired certificate): https://www.nth-dimension.org.uk/blog.php?id=90
Whether it's a Powershell/Batch/VBS/Kix script or a WAPT package, from a security point of view the solution is not viable since the password will have to be transmitted in plain text at some point.
It's convenient in the moment to regain control of a machine where WAPT is installed, but detrimental if someone stumbles upon the package contents in your repository.
ANSSI recommends using LAPS so that local passwords are dynamically stored in Active Directory and are unique for each machine:
- https://www.cert.ssi.gouv.fr/actualite/ ... 6-ACT-008/
- https://blogs.technet.microsoft.com/arn...tion-laps/
Alexander
PS: To those who might be tempted to recommend CPAU, I invite you to read this post which details how trivial it is to decrypt a file generated by CPAU (expired certificate): https://www.nth-dimension.org.uk/blog.php?id=90
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
To put it simply: The use of WAPT, in our case, is supposed to give flexibility to colleagues who do not have access to GPOs, and to allow them to act on global configurations on the workstations they manage in their sectors (particularly practical work rooms, for example).
That said, since passwords don't typically need to be changed regularly or urgently, it's not a crucial point. If there's a way to do it, use it. Otherwise, it will remain within the scope of Group Policy Objects (GPOs).
Thank you for your clear and complete answers.
Sincerely
E. Trezel
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
Is using the waptselfservice group not working for you?
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
The waptselfservice group is available in the community version.
However, the community version does not allow defining the list of packages to which the user has access.
In the community version, the user has access to everything or nothing.
However, the community version does not allow defining the list of packages to which the user has access.
In the community version, the user has access to everything or nothing.
Yes, indeed, I'm confused. However, I don't understand how this functionality could address my initial request and the constraint I described. (Access to WAPT is offered to all colleagues who wish to use it (I'm not referring to end users), but not access to AD/GPO).sfonteneau wrote: ↑June 4, 2018 - 12:30 PM The waptselfservice group is available in the community version.
However, the community version does not allow defining the list of packages to which the user has access.
In the community version, the user has access to everything or nothing.
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
The waptselfservice group is not necessarily created in Active Directory.
You can create the waptselfservice group locally on the machine and add authorized users to this group (without going through Active Directory).
You can also manage this through a Wapt package.
Alternatively, you can manage it with:
`waptservice_password =
https://www.wapt.fr/fr/doc/Configuratio ... agent-wapt`
You can create the waptselfservice group locally on the machine and add authorized users to this group (without going through Active Directory).
You can also manage this through a Wapt package.
Alternatively, you can manage it with:
`waptservice_password =
https://www.wapt.fr/fr/doc/Configuratio ... agent-wapt`
