Last Update: Sep 04, 2024 | Published: Jun 30, 2014
How Can I Block the Use of Passwords in Group Policy Preferences?
Microsoft tries to dissuade IT administrators from setting and storing passwords in Group Policy Preferences due to security concerns. While useful for mapping network drives and creating local user accounts, those passwords could create a security hole for hackers to drive through.
This Ask the Admin column outlines how to update the Group Policy Management Console (GPMC) to prevent IT administrators from setting passwords in Group Policy Preferences.
CPassword is the mechanism used to store passwords in Group Policy Preferences. It was inherited by Microsoft as part of its purchase of PolicyMaker in 2008. PolicyMaker stored passwords along with the related Group Policy Object (GPO) files in SYSVOL which by design can be viewed by domain users. Its AES 32-byte encryption is quite weak and the encryption key is published by Microsoft in its API documentation, as required by law.
Many organizations use Group Policy Preferences to set passwords for local administrator accounts. This has led to the development and deployment of exploit tools with the ability to detect and decrypt passwords set using CPassword thus making the setting and storage of passwords in Group Policy Preferences a known risk.
All Group Policy Preferences that allow you to set or store passwords are affected. The list of items is as follows:
The first step is to make sure that IT staff can no longer set passwords in Group Policy Preferences.
Install the relevant update for your systems as identified in Security Bulletin MS14-025, released on May 13, 2014 at the Microsoft Security TechCenter site. This should include all clients and servers where GPMC is installed including devices on which the Remote Server Administration Tools (RSAT) are present.
If you have been using passwords in Group Policy Preferences you will need to take the additional step of making sure they are removed from the .XML files stored for each GPO in your Active Directory domain’s SYSVOL folder. To do this, set the action for each preference that has a password to Delete.
Remove passwords from Group Policy Preferences
Repeat the above procedure for all Group Policy Preference items identified as containing passwords.