Weak password encryption in Group Policy Preference


Since Windows Server 2008, we are able to set local administrator password thanks to Group Policy Preference but, this “encryption” key is available on MSDN, so, anyone can read the clear text password with a few lines of PowerShell.

So, to mitigate this, Microsoft realeased an update (MS14-025) that will prevent you from storing password in Group Policy Preference. If you really need that feature, you may want to use a more secure process like this one. This need a schema extension, but it’s scalable, reliable and you can provide far more fine-grain delegation.

UPDATE: You’ll find more in this more recent blog post.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.