Need a recipe to reset windows administrator password. It will be great helpful, if someone help on this.
You should be able to do this with the build in
user resource like this:
user 'Set Local Administrator Password' do username 'administrator' action :manage password 'your_password_here' end
Setting your admin password in plain text makes Security Panda sad.
I would highly recommend using Microsoft’s LAPS product (https://www.microsoft.com/en-us/download/details.aspx?id=46899). It randomizes the admin password for each machine and stores them in AD (if that’s an option).
Seth, HeyltsGiblert, thank you for the suggestions.
HeyltsGiblert, How to call this in chef recipe ?
Thanks for the script, How can secure the password?
As HeyItsGilbert mentioned, storing a password in plain text is not a good idea.
In theory, you could have your password encrypted and use Chef Vault or an encrypted data bag to provide the password value.
Ultimately, you can’t completely secure it. The problem is that at some point, Chef needs the password in plain text. However you encrypt it, the decryption key has to be available to the chef client, and therefore also potentially to an attacker.
What I do in situations like this is set the administrator password to something well-known, and then manually change it right after the password has been reset. There is a vulnerability here, of course, during the time gap between Chef resetting the admin password, and manually securing it.
If you have too many systems to do this, use Active Directory - it is designed for exactly this type of problem. In that case, you could simply have Chef generate a random password for the local admin account on the fly. When you need to log on to the local admin account, use a domain account to log in first and change
Whom the IT Pros Call
Our values: Privacy, Liberty, Justice
Could you PLEASE share some example for the same, if you don’t mind.
Thank you. I want to get this done through Chef server only.
Prior to using Hashicorp Vault to distribute secrets, we deployed encrypted databags. To be honest it’s a lot of work and it too has its flaws. We’ve been the most happy with LAPS + AD, but that may change for non AD-bound machines.
- Create a secret key (per databag)
- Create encrypted data bag via knife
- Update your recipe to read the encrypted databag
IMHO if you’re going to go through the effort of deploying data bags, you should just look into setting up a proper secrets management tool. The effort or rolling databag secrets and ensuring they’re in place can be a pain.