Monday, December 8, 2014

Change to Group Policy Preferences: Creating Local Users

During the course of my MCSE studies I was working through some lab exercises at the end of one of the chapters, and encountered a problem. The chapter was covering Group Policy preferences, and specifically, I was looking at the steps to setup a new local user on a computer. This is found at "Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups". I thought this might be useful in certain circumstances, but also understood the potential issue, as this method stores the password for the new user account in plain text on the SYSVOL share. The recommendation that I had read stated that it would be a good idea to require the password to be changed at the next logon. A sensible precaution.

So, I started into the exercise. Imagine my surprise when I clicked on "New | Local User", then under "Action:" selected "Create" and encountered this issue:



Every single entry was grayed out, and I was unable to enter any information. If I changed it back to "Update", all of the boxes opened up, but re-selecting "Create" grayed them back out again. So, I tried it from a different computer. Same results. I also tried rebooting the server. Same result. Okay.... Time to hit the Internet and see if anyone else is having the same problem.

The first search result told me all I needed to know. Microsoft has released a patch to remove this security vulnerability. The Knowledge Base article is here:

MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege: May 13, 2014

Well, that was easy. Simply put, if you are regularly patching your servers (I hope you all are), you can no longer add a local user to systems via group policy preferences.

The question I have is will exam 70-411 test on the pre-patch behavior, or the post-patch behavior? Time to do some more research.

Have a great week everyone!