Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Ask a Question
Welcome To Ask or Share your Answers For Others

Categories

powershell - Is .SetPassword secure

0 votes
385 views
in Technique[技术] by (71.8m points)

powershell - Is .SetPassword secure

I'm using the following code to update multiple administrator passwords on managed computers. I have looked up documentation, but I cannot determine if the .setpassword command is secure over the network. Is it encrypted in any fashion?

I've heard mention that Powershell sometimes encrypts commands using the network credentials of the logged-in user, but I cannot verify that.

foreach($computer in Get-Content "hosts.txt") {
>> $adminUser = [ADSI] "WinNT://$computer/Administrator"
>> $adminpassword = ...
>> Write-Output $computer
>> Write-Output $adminpassword
>> $adminUser.SetPassword($adminpassword)
>> }

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Maybe. I wish could say yes or no. It depends. [grin]

Source: https://docs.microsoft.com/en-us/windows/win32/api/iads/nf-iads-iadsuser-setpassword

The LDAP provider for Active Directory uses one of three processes to set the password; third-party LDAP directories such as iPlanet do not use this password authentication process. The method may vary according to the network configuration. Attempts to set the password occur in the following order:

First, the LDAP provider attempts to use LDAP over a 128-bit SSL connection. For LDAP SSL to operate successfully, the LDAP server must have the appropriate server authentication certificate installed and the clients running the ADSI code must trust the authority that issued those certificates. Both the server and the client must support 128-bit encryption. Second, if the SSL connection is unsuccessful, the LDAP provider attempts to use Kerberos. Third, if Kerberos is unsuccessful, the LDAP provider attempts a NetUserSetInfo API call. In previous releases, ADSI called NetUserSetInfo in the security context in which the thread was running, and not the security context specified in the call to IADsOpenDSObject::OpenDSObject or ADsOpenObject. In later releases, this was changed so that the ADSI LDAP provider would impersonate the user specified in the OpenDSObject call when it calls NetUserSetInfo. In Active Directory, the caller must have the Reset Password extended control access right to set the password with this method


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

Just Browsing Browsing

2.1m questions

2.1m answers

60 comments

57.0k users

Most popular tags

Powered by Question2Answer
Donate
Theme by Q2A Market&&OStack.cn
...