Change Local user password from CSV file

Hi All,

Is there any option to change the system local admin password from bigfix console,

I have 200 server and want to reset/change the password in every system, each system having different password and we tried the below option,

https://bigfix.me/fixlet/details/3670

But the problem here we need to initiate 200 different action for 200 servers,

So we are looking to update all the password for all the 200 server in 1 csv file and link with the csv file to update the same,

Is this possible or any way to do this task please appreciate,

Thanks,
Nagaraj,

It is possible to do what you’re describing, as long as you are okay with the security implications of distributing a csv with a bunch of passwords to 200 servers.

Say you had a simple “password.csv” containing the following:

server1,p@ssw0rd
server2,P@SSW0RD

Using that, you could match the computer to the line in the CSV and create a parameter in your action script containing just the password, like so:

parameter "password" = {following text of first "," of line whose (it starts with (computer name as lowercase)) of file "password.csv")

From there, you could just deploy the task to every server you care about, using our “password” parameter as the argument to net user

2 Likes

That’s highly risky, any person with access to your network will be able to download that csv file.

1 Like

Oh yeah, for sure. Didn’t say it was a good idea, just that it was possible. There are definitely ways to harden this approach, so if it is important enough to OP to do this, hopefully my answer is a push in the right direction.

2 Likes

In terms of the local admin password, generally my preferred method is to set a long random password and then disable it.

If it loses its connection to the domain, I’ll reset and enable it through a separate task.

If it loses connection to both the Domain and to bigfix, I’ll reset it using a WinPE boot media, or just reimage it entirely.

I’ve used GPO Filtering in updating local admin password.

If these are Windows servers, LAPS is an option, too: https://blogs.msdn.microsoft.com/laps/

At my last job, we weren’t really able to deploy LAPS, so I wrote what we called FLAPS (Faux LAPS). It was a per-department policy action that set the admin password on a given computer to a string chosen by the person in that department, the computer’s serial number as lowercase, and a second chosen string. There was an accompanying analysis that would check how recently the password on that account was changed by FLAPS.

Desktop techs didn’t like it because it’s sometimes inconvenient to get a computer’s serial number (like if you’re sitting in front of it), but it otherwise was a good solution for us to make sure we had unique but still usable in a pinch passwords on every machine.

2 Likes

Thanks @alinder

image

is this csv file format correct ?

@Nagaraj, there are several good threads on local password management. Have you reviewed their suggestions?

here, here, and here

Secure parameters and OpenSSL encrypted passwords two of the common approaches.

We take it a step further in our organization and use relevance substitution to do static + dynamic password combinations based on a formula for additional strength. These combination passwords are now standard practice for our domain and local administrative and service accounts.

1 Like