Manage Network Passwords (Command Line)

[subhramani]

There are quite a few people who end up 'remembering' the passwords when they sign on to a web application that uses AD authentication, though they are not supposed to. So my team ends up getting tickets for the passwords to be cleared.

What we need to do is go to Control Panel > User Accounts > Manage Network Passwords and then remove the password that is saved.

I would like to know if there is any way of getting this done via command line since it would be easier for us to login via telnet and run those commands.

Any help would be awesome. Thanks in advance.

[jaclaz]

Login via telnet to WHAT?

I mean is the *whatever* you login via telnet running XP?

Have you tried using the 2003 (or later) cmdkey?

http://ss64.com/nt/cmdkey.html

http://andyparkes.co.uk/blog/index.php/2009/01/08/useful-commands-cmdkey/

http://www.markwilson.co.uk/blog/2008/12/managing-stored-credentials-from-the-windows-command-prompt-using-cmdkey.htm

possibly through psexec:

http://technet.microsoft.com/it-it/sysinternals/bb897553.aspx

jaclaz

[subhramani]

LOL, sorry.

We have loads of computers that run on Windows XP Embedded. They are used by 'customers' to access several applications. A few applications are just web pages over the intranet which uses AD authentication.

These people, when they access the webpage, are prompted to enter their domain credentials. They also end up checking the box to remember the passwords though they aren't supposed to since there are other people who login to the same page with their own credentials.

The group policy denies them access to almost everything. So they cant even see the desktop. Just an interface with a list of applications they can click to access.

Hence, we log on to those computers and delete the passwords manually using the method I mentioned in the original post.

cmdkey is the exactly what I need, but unfortunately doesn't work on Windows XP machines. I cant use psexec either since the command doesn't exist. I wanted to know if there is a cmdkey equivalent for XP.

Edited March 20, 2014 by subhramani

[jaclaz]

No.

The tool is included in Server 2003 or later (but the server 2003 version works in XP).

Psexec is free use.

But now that the problem is clearer:

These people, when they access the webpage, are prompted to enter their domain credentials. They also end up checking the box to remember the passwords though they aren't supposed to since there are other people who login to the same page with their own credentials.

there could be other solutions/workarounds.

Maybe you can edit that dialog box/msg window/whatever, removing in there the possibility to save the password.

Or (maybe) you can deny access to the key (in the Registry) to which that information is saved.

Or more simply you could take advantage of provisions of the OS.

What happens with this?

Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]"disabledomaincreds"=dword:00000001

And/or with this:

http://blogs.technet.com/b/askds/?pi101072=2&PostSortBy=MostViewed&pi136163=1&pi136234=57#dfsvpn

http://technet.microsoft.com/en-us/library/jj852185.aspx

jaclaz

[subhramani]

Dayum. Ok.

And nope... I unfortunately will not be able to make any changes to the computers like adding/removing registry keys or files as we have over 14,000 computers across our estate. Making even a small change will need a "Change" raised and run I have to around for approvals etc (which I am sure I will not get). Pain in the a**.

Shit situation, right?

[submix8c]

Not sure I get this - why wouldn't management approve a Change Request of this (seeming) importance (High Priority)? Even in the "slow as molasses" government environment it didn't take that much effort (yes, I have been there/done that), maybe one day or less. Put in the request, walk it through, "push" the fix (instead of going to each computer) one time at logon. You ARE an Administrator (Domain?), right?

IOW, if it's broke (and it certainly sounds like), fix it ASAP...

[jaclaz]

As a side note, if a "team" in charge of support/maintenance of 14,000 PC's cannot manage to:

• find about (documented) cmdkey
• find about (documented) Group Policies
• do any of the above (or be authorized to do that)

I have difficulties in calling it a "support team" (particularly for such a large userbase).

Reality check.

When you "telnet" manually into a remote computer, and run the Control Panel/Users thingy (which BTW you can access more directly through "rundll32.exe keymgr.dll, KRShowKeyMgr") what you are actually doing is to use a GUI tool to write (or modify) a binary file "Credentials" residing in \Documents and Settings\<User Name>\Application Data\Microsoft\Credentials\<User SID>, see:

http://www.nirsoft.net/utils/network_password_recovery.html

so it is not in any way different from changing a binary file (one of the Registry hives) BEFORE, to avoid the need to connect to the PC at all.

As a matter of fact every time anyone accesses a remote computer via "telnet" or other remote administration tool, this represents a serious security (and/or privacy) matter.

jaclaz

[Yzöwl]

I must admit that for an administrator of a company with a $115 billion turnover it does strike me as a little odd that your knowledge relating to this subject is so lacking.

[subhramani]

Yup, exactly why I am here to ask questions and learn. Why the heck would I come here if I knew everything? If there was an issue answering, you need not have even answered. You had to Google to know where I work to reply? LOL.

[submix8c]

Back to post #6 - you do realize you're wasting a lot of time? You could have already gotten the approval by now.

[subhramani]

I don't have a deadline. I am trying to make my own work easier. I don't have to explain which team deals with what and why I am in this situation. I asked you a technical question and you are talking about my work place and what they are supposed to do. Was that necessary? Who wasted time?

[submix8c]

No deadline, then this shouldn't be a problem -

Making even a small change will need a "Change" raised and run I have to around for approvals etc (which I am sure I will not get).

It appears to be a "problem" that should get approval. Again, back to post#6, which followed post#4. The solution and a potential method of distribution. We ARE talking Client PC's on a Domain, aren't we?

edit - this seems to be a problem you requested help with before.

http://www.msfn.org/board/topic/162647-q-asp-website-with-ad-authentication/

...and here you appear to have access to Windows Server 2003 (cmdkey) -

http://www.msfn.org/board/topic/162496-win-2k3-cant-view-events-services-device-properties/?view=findpost&p=1035032

Edited March 23, 2014 by submix8c

[subhramani]

No. They are not a part of any domains. The policies are applied using a local script. I can't access even the admin shares of those computers from a central servers and psexec will not connect to those servers. But I can access shared folders in a central server from those computers. I use psexec on a daily basis so I know what that is, but cmdkey was something new because I never had to utilize it before.

Since psexec cannot connect to those computers, I canNOT have a copy of cmdkey in a network share to run it. These computers are quite complicated and I have just started supporting these, so I dont know what works and what doesnt. Truth.

Edit: About the links you have mentioned to my previous post:

The first one about ASP, I was fighting with the same application team asking them to create a proper 'Logoff' option instead of just a javascript to close the browser window when they click on 'Close' link. I wasnt sure where the passwords would get saved for a page that uses AD authentication. If it was an external website, it would store a cookie, so deleting them would be easier, but this one isnt. So that post was for me to understand where the passwords would get saved. Ideally, THAT application team are the ones who are supposed to fix it.

Edited March 23, 2014 by subhramani

[jaclaz]

Well what happens if you deploy cmdkey to the target machine and run it remotely from the machine itself?

Still, it seems to me foolish to wait for the issue to happen and repair the problem as opposed to preventing the issue to happen at all.

I have no idea about (and I am actually not at all interested in the details of) the management procedures that you have on that site/whatever, but I have rarely seen someone proposing a no or little cost enhancement capable of preventing the creation of a "support ticket" having it denied/not approved.

You see, usually nooone actually cares about what the IT/support people do , but if a "support ticket" is created, it means that there is an alteration in the workflow of the people that actually work to produce something (or that are supposed to do that), i.e. it means "saved money" or "less downtime" for the company.

In any case, you asked about your problem, not one but three possible solutions were proposed for you to test, sorry if none can be - for whatever reason - be tested/used in your environment.

jaclaz

[subhramani]

Yes, there is a little work that needs to be done before I can use the solution(s) mentioned above for them to work, but I'm going to try them out asap. Many thanks for your help.

Edited March 24, 2014 by subhramani