Group Policy Preferences Passwords

by Ryan 27. May 2012 11:40

Hello again.  Today I want to talk about Group Policy Preferences Passwords.

So as most of you probably know, you can manage local accounts across many computers using Active Directory Group Policy Preferences. You can create them, delete them, and change their passwords.

GPP Adding a User*About to add a local user to all computers to whom this GPO is linked.*

This feature can also be really useful for adding already existing AD security groups to, say, the local administrators group on all the machines.  For instance, I could use this console to add the "DOMAIN\Accounting Managers" group to the local Administrators group on all the computers in the Accounting OU. That sort of thing.  However, one slightly more interesting piece of knowledge is that local users created here, will have their passwords stored in SYSVOL, in a format that is decipherable.

I've been seeing this "news" pop up around the internet here and there the past couple of weeks, so I wanted to speak to it.  Here is one such article on how to "crack" the passwords stored via GPP. Here's another one.  Now I want to make clear that these people are not "hacking" or "exploiting" Windows 2008 Group Policy Preferences by pointing this out.  This is well-known functionality that is fully documented by Microsoft.  Microsoft has warned about this, more than once, and even posts the AES decryption key themselves on MSDN!

I suppose that MS could pop up a warning dialog when editing that particular GPP item, plainly telling the administrator that this should not be used for sensitive, administrative accounts.  I have no doubt that there are companies of all sizes that are using this today without realizing that it's not secure.  Even though it is fully documented, you can't count on people reading the documentation.  RTFM is as true now as it was in 1979.

It's important to remember that this code was inherited by Microsoft when they acquired another software company, not originally written by Microsoft.  MS bought what used to be known as PolicyMaker, and integrated their stuff into what we know now as Group Policy Preferences.  Since there were already customers using PolicyMaker, that bit with the not-so-secure passwords needed to stay in so as to preserve compatibility with existing customers. So MS is aware, they made a deliberate choice to leave that functionality in knowing that it was insecure, and it will hopefully get improved down the road.

As they say, "compatibility is deliberately repeating someone else's mistakes."

Pingbacks and trackbacks (1)+

Add comment

About Me

Ryan Ries
Texas, USA
Systems Engineer

I am a systems engineer with a focus on Microsoft tech, but I can run with pretty much any system that uses electricity.  I'm all about getting closer to the cutting edge of technology while using the right tool for the job.

This blog is about exploring IT and documenting the journey.

Blog Posts (or Vids) You Must Read (or See):

Pushing the Limits of Windows by Mark Russinovich
Mysteries of Windows Memory Management by Mark Russinovich
Accelerating Your IT Career by Ned Pyle
Post-Graduate AD Studies by Ned Pyle
MCM: Active Directory Series by PFE Platforms Team
Encodings And Character Sets by David C. Zentgraf
Active Directory Maximum Limits by Microsoft
How Kerberos Works in AD by Microsoft
How Active Directory Replication Topology Works by Microsoft
Hardcore Debugging by Andrew Richards
The NIST Definition of Cloud by NIST

MCITP: Enterprise Administrator


Profile for Ryan Ries at Server Fault, Q&A for system administrators




I do not discuss my employers on this blog and all opinions expressed are mine and do not reflect the opinions of my employers.