Change local admin password help?

robertmullen · August 26, 2015, 5:44am

Hey guys,

Trying to implement the Fixlet - https://bigfix.me/fixlet/details/3670

However I am getting Relevance Substitution Failed everytime that I try and run it.

Snippet from log file on client:

=========================================

Relevant - Change local user account password - Windows (fixlet:4956)
At 15:28:46 +1000 -
ActionLogMessage: (action:4956) Action signature verified for Execution
ActionLogMessage: (action:4956) starting action
At 15:28:46 +1000 - actionsite (http://XXXXXXXXXX:52311/cgi-bin/bfgather.exe/actionsite)
Command succeeded action parameter query “username” with description “Please specify the name of an existing local user account” (action:4956)
Command failed (Relevance substitution failed) waithidden “C:\Windows\System32\net.exe” user {parameter “username” of action} {parameter “secret” of action} (action:4956)
At 15:28:46 +1000 -
ActionLogMessage: (action:4956) ending action

=========================================

Any ideas on how I can get around this?

Thanks!
Rob.

jmaple · August 26, 2015, 12:04pm

What version of IEM are you currently running?

JasonWalker · August 26, 2015, 3:03pm

Did you fill in the Password field (on the Description page of the task) before taking the action?

jgstew · August 26, 2015, 5:23pm

Try this improved version instead: https://bigfix.me/fixlet/details/6076

robertmullen · August 26, 2015, 10:50pm

Hi, I tried that new one but when I enter the password and create the Fixlet, I get a Script Error:

If I still run the Fixlet, I get the exact same error in the logs: Relevance Substitution Failed.

I’m using IEM 9.2.0.363

jgstew · August 27, 2015, 6:00am

I’ll have to do some digging / testing. Thanks for including your IEM version.

What version of IE is installed on the system running the console?

I’m wondering if you need to add some things to the trusted sites for some reason.

robertmullen · August 27, 2015, 6:38am

Using IE10 from Windows Server 2008 R2.
Also does the same thing running from Windows 8.1, using IE11.

jgstew · October 19, 2016, 9:04pm

I’m fairly certain this is happening due to problems with the javascript that are likely due to BigFix.Me changing the file in some way.

Trying to figure out the best way to do Forms in the HTML of BigFix content based upon previous work.

Something like this, but it doesn’t seem to work:

<script>
function validateTakeAction() {
  var theSecret = document.getElementById( "secret" ).value;
  var theSecret2 = document.getElementById( "secret2" ).value;

  if ( theSecret<>theSecret2 )
    { alert("The passwords entered do not match!"); }
  else {
    TakeSecureFixletAction( Relevance('id of current fixlet'), Relevance('id of current bes site'), "Action2", {}, { secret: theSecret } );
  }
  
  return false;
}

document.body.ontakeaction = validateTakeAction();

</script>
<form action="javascript:void(0);" onsubmit="return validateTakeAction();">
  <label for=secret>Console Password:</label>
  <input id=secret type=password name=secret required autofocus/><br/>
  <label for=secret2> Verify Password:</label>
  <input id=secret2 type=password name=secret2 required/><br/>
  <input type="submit" value="Take Action"/>
</form>

I’m also wondering if starting by using Parameterized Fixlets makes sense for something like this or not. Example: https://github.com/strawgate/C3-Inventory/blob/master/Fixlets/Invoke%20-%20Join%20Active%20Directory%20Domain%20-%20Windows.bes

JasonWalker · October 23, 2016, 1:43am

Is the problem that you’re invoking Action2 rather than Action1, or something else broken earlier?

jgstew · October 24, 2016, 5:52pm

Good catch. I’m not sure it that is the problem or not. I think this is a case where there is ONLY an action2 because I ended up deleting action1, but I could be wrong and that could be a part of the problem.

Now that I know how to use parameterized fixlets, I think something based on this would be better: https://github.com/jgstew/bigfix-content/blob/master/fixlet/Test%20Password%20Entry%20with%20Validation%20with%20verifying%20match%20-%20parameterized%20fixlet%20-%20Universal.bes.xml

jgwentworth · June 19, 2017, 3:05pm

Didn’t want to revitalize this thread, but curious, what are the security parameters around this Fixlet? I understand the end-to-end encryption aspect so no one can intercept. But what about it being stored on the laptop itself? If someone had access to the laptop, would they be able to decrypt the password change fixlet of the local admin to gain access to that PW?

Wasnkker · September 29, 2017, 8:39am

To change local admin password , you can remove it from your Windows , then you can set up a new password
Detailed tutorial : https://www.recoverywindowspassword.com/reset-windows-7-login-password-in-3-ways.html

haraldk · December 19, 2019, 9:11am

I know this is a very old thread, but I stumbled upon it when searching for a way to supply a secured password for a BIOS setting task. I don’t know anything about javascript so I just did some experimenting and got the piece of code to work.

The problem is that “<>” is not a valid comparator in javascript. Change it to “!=” and it runs fine.

Thanks for the code sample!

Harald

JonL · December 19, 2019, 4:10pm

There are several ways to protect secure data like passwords. This thread and this thread have the process that I like to use.

haraldk · December 19, 2019, 10:54pm

Can you please give some more details on how to use your openSSL approach?

JonL · December 23, 2019, 6:46pm

@haraldk, the basic idea is to distribute the OpenSSL binaries in a consistent location across your clients. Create an OpenSSL key pair, securing half the pair, while distributing the other half to all your clients. Then when you encrypt a bit of data, say a password, with the secured half of the key pair, then your clients will be able to decrypt the secure value. Here is an excerpt of a prior thread that has some basics. Try it out and post if you get stuck.

Start with a current set of OpenSSL binaries for whichever OS(es) you plan to target. Create a task or add these to your image. Then set permissions to deny all but system for this location. (I like to use \OpenSSL under the client install folder.)

Create at least one key pair using OpenSSL adapting the parameters to your situation. For example, a 4096-bit RSA key pair can be created:

openssl.exe genrsa -out private.pem 4096
openssl.exe rsa -in private.pem -out public.pem -outform PEM -pubout

Then insert half of your key pair in a location on your clients. Obscure the location and restrict permissions to all but system.

Secure and protect the other half as your organization requires.

OpenSSL can then be used to encrypt passwords, files, or whatever you want. Some sample generic syntax:

openssl pkeyutl -encrypt -pubin -inkey public.pem -in clear_text_data_to_encrypt.txt -out binary_encrypted_data.ssl
openssl base64 -e -in binary_encrypted_data.ssl -out Base64_encoded_encrypted_data_for_transport.ssl

The encoded encrypted files can be deployed via Bigfix or inserted into an image. (I recommend a naming convention for these files.) This is essentially what early versions of Local User Management were doing under the covers. Today they embed OpenSSL libraries with the installs so it is more integrated into the product versus a bolt-on.