Tranquil IT Forum

Hello,

is there a clean way to change the local administrator password on a machine using WAPT?
By "clean," I mean that the password won't end up on the machine after the operation (I know how to do it with a PowerShell script, but if the package containing the script remains on the machine... that doesn't seem like a good idea).
Yes, I know it can be done with GPOs, but in my case, it's not suitable (explaining why here would be tedious and rather pointless).

Thanks in advance

Good morning,

Whether it's a Powershell/Batch/VBS/Kix script or a WAPT package, from a security point of view the solution is not viable since the password will have to be transmitted in plain text at some point.

It's convenient in the moment to regain control of a machine where WAPT is installed, but detrimental if someone stumbles upon the package contents in your repository.

ANSSI recommends using LAPS so that local passwords are dynamically stored in Active Directory and are unique for each machine:

• https://www.cert.ssi.gouv.fr/actualite/ ... 6-ACT-008/
• https://blogs.technet.microsoft.com/arn...tion-laps/

Sincerely,

Alexander

PS: To those who might be tempted to recommend CPAU, I invite you to read this post which details how trivial it is to decrypt a file generated by CPAU (expired certificate): https://www.nth-dimension.org.uk/blog.php?id=90

erict wrote: ↑June 1, 2018 - 4:37 PM (explaining why here would be tedious and rather pointless).

I understand, however, you would still need to explain your problem to us; this will perhaps allow us to provide you with a more suitable solution

sfonteneau wrote:

erict wrote: ↑June 1, 2018 - 4:37 PM (explaining why here would be tedious and rather pointless).

I understand, however, you would still need to explain your problem to us; this will perhaps allow us to provide you with a more suitable solution

To put it simply: The use of WAPT, in our case, is supposed to give flexibility to colleagues who do not have access to GPOs, and to allow them to act on global configurations on the workstations they manage in their sectors (particularly practical work rooms, for example).
That said, since passwords don't typically need to be changed regularly or urgently, it's not a crucial point. If there's a way to do it, use it. Otherwise, it will remain within the scope of Group Policy Objects (GPOs).

Thank you for your clear and complete answers.

Sincerely
E. Trezel

Is using the waptselfservice group not working for you?

sfonteneau wrote: Is using the waptselfservice group not working for you?

No, we're on the community version.

The waptselfservice group is available in the community version.

However, the community version does not allow defining the list of packages to which the user has access.

In the community version, the user has access to everything or nothing.

sfonteneau wrote: ↑June 4, 2018 - 12:30 PM The waptselfservice group is available in the community version.

However, the community version does not allow defining the list of packages to which the user has access.

In the community version, the user has access to everything or nothing.

Yes, indeed, I'm confused. However, I don't understand how this functionality could address my initial request and the constraint I described. (Access to WAPT is offered to all colleagues who wish to use it (I'm not referring to end users), but not access to AD/GPO).

The waptselfservice group is not necessarily created in Active Directory.

You can create the waptselfservice group locally on the machine and add authorized users to this group (without going through Active Directory).

You can also manage this through a Wapt package.

Alternatively, you can manage it with:

`waptservice_password =

https://www.wapt.fr/fr/doc/Configuratio ... agent-wapt`

I understand, but my initial request was to change the admin password for the workstation itself, not the WAPT service password.

Anyway, I'll continue using Group Policy Objects (GPOs) for that.

Thank you for your help
.