Score:1

Are Windows GPOs encrypted?

de flag

We have a piece of COTS software that has a command line tool for server credential rotation. Instead of going to each machine to rotate the credentials with the tool, I would like to use GPO to run a script to do so. However, I would need to place the new credentials in the script, so I am wondering if the script files stored in the GPO are encrypted at rest. I have not found any authoritative documentation stating either way.

cn flag
Don't do this. GPO's aren't encrypted.
de flag
@GregAskew, that's what I was afraid of. Any suggestions for alternatives?
joeqwerty avatar
cv flag
This might a use case for LAPS - https://docs.microsoft.com/en-us/previous-versions/mt227395(v=msdn.10)?redirectedfrom=MSDN
SamErde avatar
gg flag
A good, valid question that others may also ask. However, I echo Greg's recommendation against putting plain-text passwords in a GPO setting.
Score:0
de flag

Seems that they are not encrypted, I have not found a work around other path as of yet.

djdomi avatar
za flag
Hows about a managed Service Account? like https://www.advancedinstaller.com/install-service-under-managed-service-account.html - Once of the BASICS of MCSA, by the way - the answer is NO they are plain text. in case of using GPO/Script insteat the above solution
Score:0
cn flag

No, GPOS are not encrypted. If you want an authoritative source: https://blogs.technet.microsoft.com/srd/2014/05/13/ms14-025-an-update-for-group-policy-preferences/

MS allowed passwords, but it later realized it was a security risk.

You can check for yourself: take a look at \\DOMAIN\SYSVOL and you'll see nothing is encrypted.

cn flag
You need to set some credentials centrally, it seems. You are using a script. I assume a Startup script? I'd consider storing a file with the password on a share, where only you and domain computer accounts would have access. Read the contents of the file and set the password to that. Or, even better, put the script on a server where only you and computer accounts have access to it, and run it directly from there.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.