1

We have a piece of COTS software that has a command line tool for server credential rotation. Instead of going to each machine to rotate the credentials with the tool, I would like to use GPO to run a script to do so. However, I would need to place the new credentials in the script, so I am wondering if the script files stored in the GPO are encrypted at rest. I have not found any authoritative documentation stating either way.

scmccart
  • 111
  • 1

2 Answers2

0

Seems that they are not encrypted, I have not found a work around other path as of yet.

scmccart
  • 111
  • 1
  • Hows about a managed Service Account? like https://www.advancedinstaller.com/install-service-under-managed-service-account.html - Once of the BASICS of MCSA, by the way - the answer is NO they are plain text. in case of using GPO/Script insteat the above solution – djdomi Jun 16 '21 at 18:12
0

No, GPOS are not encrypted. If you want an authoritative source: https://blogs.technet.microsoft.com/srd/2014/05/13/ms14-025-an-update-for-group-policy-preferences/

MS allowed passwords, but it later realized it was a security risk.

You can check for yourself: take a look at \\DOMAIN\SYSVOL and you'll see nothing is encrypted.

Luiz Angelo
  • 63
  • 1
  • 1
  • 12
  • You need to set some credentials centrally, it seems. You are using a script. I assume a Startup script? I'd consider storing a file with the password on a share, where only you and domain computer accounts would have access. Read the contents of the file and set the password to that. Or, even better, put the script on a server where only you and computer accounts have access to it, and run it directly from there. – Luiz Angelo Jun 16 '21 at 19:04