Reset windows administrator password

venkatklr · April 3, 2017, 6:12pm

Need a recipe to reset windows administrator password. It will be great helpful, if someone help on this.

seth · April 4, 2017, 2:47pm

You should be able to do this with the build in user resource like this:

user 'Set Local Administrator Password' do
  username 'administrator'
  action :manage
  password 'your_password_here'
end

HeyItsGilbert · April 4, 2017, 5:52pm

Setting your admin password in plain text makes Security Panda sad.

I would highly recommend using Microsoft’s LAPS product (https://www.microsoft.com/en-us/download/details.aspx?id=46899). It randomizes the admin password for each machine and stores them in AD (if that’s an option).

venkatklr · April 5, 2017, 6:37pm

Seth, HeyltsGiblert, thank you for the suggestions.

HeyltsGiblert, How to call this in chef recipe ?

Thanks,
Venkat

venkatklr · April 5, 2017, 6:38pm

Seth,

Thanks for the script, How can secure the password?

Thanks,
Venkat

seth · April 5, 2017, 8:08pm

As HeyItsGilbert mentioned, storing a password in plain text is not a good idea.

In theory, you could have your password encrypted and use Chef Vault or an encrypted data bag to provide the password value.

kkeane · April 6, 2017, 7:19pm

Ultimately, you can’t completely secure it. The problem is that at some point, Chef needs the password in plain text. However you encrypt it, the decryption key has to be available to the chef client, and therefore also potentially to an attacker.

What I do in situations like this is set the administrator password to something well-known, and then manually change it right after the password has been reset. There is a vulnerability here, of course, during the time gap between Chef resetting the admin password, and manually securing it.

If you have too many systems to do this, use Active Directory - it is designed for exactly this type of problem. In that case, you could simply have Chef generate a random password for the local admin account on the fly. When you need to log on to the local admin account, use a domain account to log in first and change

Kevin Keane
Whom the IT Pros Call
The NetTech
http://www.4nettech.com
Our values: Privacy, Liberty, Justice
See https://www.4nettech.com/corp/the-nettech-values.html

venkatklr · April 6, 2017, 7:38pm

Seth,

Could you PLEASE share some example for the same, if you don’t mind.

Thanks,
Venkat

venkatklr · April 6, 2017, 7:40pm

kkeane,

Thank you. I want to get this done through Chef server only.

Thanks,
Venkat

HeyItsGilbert · April 10, 2017, 8:07pm

Prior to using Hashicorp Vault to distribute secrets, we deployed encrypted databags. To be honest it’s a lot of work and it too has its flaws. We’ve been the most happy with LAPS + AD, but that may change for non AD-bound machines.

tl;dr:

Create a secret key (per databag)

https://docs.chef.io/data_bags.html#secret-keys

Create encrypted data bag via knife

https://docs.chef.io/data_bags.html#encrypt

Update your recipe to read the encrypted databag

https://docs.chef.io/data_bags.html#load-with-recipe-dsl

IMHO if you’re going to go through the effort of deploying data bags, you should just look into setting up a proper secrets management tool. The effort or rolling databag secrets and ensuring they’re in place can be a pain.

Topic		Replies	Views
Setting local Windows user's password Chef Infra (archive)	1	686	March 31, 2014
Reset Webui Admin Password Chef Infra (archive)	2	449	February 2, 2011
Server: Resetting admin password when it's lost Chef Infra (archive)	2	492	August 25, 2011
How to keep from resetting user password Chef Infra (archive)	4	670	September 25, 2010
How to reset webui password in chef 11 Chef Infra (archive)	4	757	March 19, 2013

Reset windows administrator password

Related topics