WPNinjas HeaderWPNinjas Header

Important Feature Change: Password change with GPO’s no longer possible KB2962486/KB2928120/KB2961899 – Part 4

In part four of this post series, you will see how you could get the encrypted password back from the MiniWebService. You can implement this script to the ConfigMgr console, run it standalone or you can embed it for example to netECM:UserDevice.

Part 1 – Background Information

Part 2 – Solution Overview and installing MiniWebservice

Part 3 – Creating ConfigMgr Compliance Settings Item

Part 4 – Retrieve the passwords with PowerShell (This Post)

Script Flow Chart

The following diagram will illustrate the actions of the PowerShell script.

Password Management2_EN

Download the Scripts

I have created different scripts for different usages. One Script returns the whole password history, the other script returns only the last password.

Then there are slightly modified scripts for the ConfigMgr console, standalone or netECM integration available. Please the correct one for your environment.

Only last Password Password History
Standalone Download Download
ConfigMgr Console Download Download
netECM:UserDevice Download Download

Customize the Script

First, we have to customize some variables in the scripts. Change the $privatekey variable to your privatekey (generated in the prerequisites step in post 3). Then you have also to specify the FQDN of the server on which the netECM:MiniWebService is installed.

Run the Scripts

Standalone

image With this method you are able to run the script from the command line or over the windows explorer like in the screenshot.
image After entering the device and username the password will be displayed correctly.

ConfigMgr Console

Create an XML file with this content and customize the orange marked parts:

<ActionDescription Class="Group" DisplayName="Local Admin Passwords" MnemonicDisplayName="Local Admin Passwords" Description="" SqmDataPoint="53" SelectionMode="Single">
<ShowOn>
<string>DefaultHomeTab</string>
<!-- RIBBON -->
<string>ContextMenu</string>
<!-- ContextMenu -->
</ShowOn>
<ActionGroups>
<ActionDescription Class="Executable" DisplayName="Show Last Password" MnemonicDisplayName="Show Last Password" Description="" SelectionMode="Single">
<ShowOn>
<string>DefaultHomeTab</string>
<!-- RIBBON -->
<string>ContextMenu</string>
</ShowOn>
<Executable>
<FilePath>powershell.exe</FilePath>
<Parameters> -executionpolicy bypass -file "C:\Scripts\Custom_GetAdminPW_ConfigMgrConsole_002.ps1" ##SUB:Name##</Parameters>
</Executable>
</ActionDescription>
<ActionDescription Class="Executable" DisplayName="Show Password History" MnemonicDisplayName="Show Password History" Description="" RibbonDisplayType="TextAndSmallImage">
<ShowOn>
<string>DefaultHomeTab</string>
<string>ContextMenu</string>
</ShowOn>
<Executable>
<FilePath>powershell.exe</FilePath>
<Parameters>-executionpolicy bypass -file "C:\Scripts\Custom_GetOldAdminPWs_ConfigMgrConsole_002.ps1" ##SUB:Name##</Parameters>
</Executable>
</ActionDescription>
</ActionGroups>
</ActionDescription>

Save the file to the following directories in the install root of your ConfigMgr Console:

  • .\AdminConsole\XmlStorage\Extensions\Actions\3fd01cd1-9e01-461e-92cd-94866b8d1f39
  • .\AdminConsole\XmlStorage\Extensions\Actions\ed9dee86-eadd-4ac8-82a1-7234a4646e62

The filename doesn’t care.

Restart the ConfigMgr console and you will see the new commands on every device:

image

netECM:UserDevice

In netECM:UserDevice it’s easy to add a device action. To use the password scripts, use these values:

image

Abstract

In the last four blog posts is explained how we could change admin passwords randomly on devices with built in and free tools. The scripts are provided as is, so test them well Zwinkerndes Smiley and report issues back.

Follow me

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.