使用密码创建 Windows 用户的脚本 [英] Script to create windows user with secret password

问题描述

在我们的默认 Windows 系统映像上，使用秘密密码创建了一个管理成功的用户.这用于支持目的.我需要的是一个脚本来创建这个用户，但不以纯文本形式公开密码(也许使用散列值?有没有办法实现这一点?

On our default Windows system image a user with administrative success is created using a secret password. This is used for support purposes. What I need is a script to create this user but not exposing the password in plain text (maybe using a hashed value? Is there a way to achieve that?

我可以自由使用 powershell 或任何有意义的东西 - 我只需要能够将其提供给某人而无需他们知道密码.

I am free to use powershell or whatever makes sense - I just need to be able to give this to a person without having them to know the password.

推荐答案

你有几个选项，尽管这个问题属于 ServerFault IMAO.如果计算机已加入域，请在安装后脚本中添加包含支持帐户的组.像这样，

You got a few options, though this question belongs to ServerFault IMAO. If the computer is joined in a domain, add the group that contains the support account in post-install script. Like so,

([adsi]"WinNT://./Administrators,group").Add("WinNT://domain/supportGroup,group")

这将在本地管理员组中添加域\supportGroup，因此前者的任何成员都通过域组成员身份被授予权限.利用群组成员身份确保安全是最佳做法.

This will add domain\supportGroup in the local Administrators group, so any member of the former is granted permissions via domain group membership. Leveraging group membership for security is a best practice.

依赖域组的警告是，如果计算机无法连接域，则作为 supportGroup 成员登录将失败 - 除非您获得缓存凭据.

The caveat with relying on domain groups is that if the computer is unable to connect the domain, logon as a member of supportGroup fails - unless you got cached credentials.

对于非域计算机，您运气不佳.人们可以创建一个帐户并将凭据存储在混淆的文件中.Base64 工作得很好.创建用户后，覆盖并删除文件.这将阻止行为良好的用户意外发现密码，但对恶意用户几乎无济于事.

For non-domain computers, you are short of luck. One could create an account and store credentials in obfuscated a file. Base64 works pretty well. After creating the user, overwrite and delete the file. This will stop well-behaving users to accidentally discovering the password, but will do next to nothing for malicious users.

另一种方法是基于，例如，使用密码算法.通过根据计算机名称等生成一个，您无需对密码进行硬编码.再说一次，只需阅读源代码即可提供密码，因此您再次遇到恶意用户时就不走运了.这是一个相当大的漏洞，因为发现该算法的任何人都将获得对所有系统的特权访问权限，因此仔细考虑是否可以继续这样做.

Another an approach would be based on, say, using an algorithm for the password. By generating one based on computer's name and whatnot, you don't need to hardcode the password. Then again, simply reading the source code will provide the password, so you are out of luck against malicious users again. This is quite a vulnerability as anyone discovering the algorithm would gain privileged access to all systems, so think very carefully if this is the way to proceed.

这篇关于使用密码创建 Windows 用户的脚本的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！