Month: July 2019

How to Get That Old Laptop Back On The Domain

 

 

 

Occasionally, an old machine dies.  It is always a surprise to the client that a six year old laptop running Windows 7 can die, but, sadly, as we technigenarians know it, tragedy can strike the computer world at any time.  The fatal flaws in SSL 3.  Speculative-execution vulnerabilities in every modern processor.  The soap opera that is Java.  We have seen behind technology’s shimmery curtain and it is ugly backstage. 

 

Clients, though, expect their soft and hard gear to last sometime beyond forever, so they save their Office95 licenses, their replaced Pentium workstations, their 12 pound laptops.  Then, when one of their Old Production Machines topples over, what do they do?  They dig out the Even Older Production Machine that has been sitting in a closet for a year, plug it in and naively expect it to just hop up and go.  Never mind that it will take three hours just to finish running Windows updates.  Ignore the time required for updating 3PAs (Third-Party Apps), ’cause Flash hasn’t changed much, right? 

 

But, what about getting WOR-CREAKY back on the Domain again?  Since it has been way more than 30 days (the policy default), the machine password has aged out and it will not reconnect to the domain and allow current domain credentials to login without some help.  Wouldn’t it be nice to not have to go through the usual join-to-workgroup-reboot-join-to-domain-reboot? Enter one handy PowerShell command – Reset-ComputerMachinePassword.

 

The Reset-ComputerMachinePassword is run from ol’ CREAKY through an Administrative PowerShell session.  This means being logged onto the machine using a local Administrator account.  If you are using some sort of Remote Machine Management tool that gives you admin rights to run commands then you can use that. If not, then you will have to use a local admin user that has already been setup on the machine before it was mothballed. If that is the case, you will have to do some sort of password recovery on the machine. You will have to look elsewhere to get that done.

 

Once you have logged in and started PowerShell as Administrator, run the command with a couple of parameters.  Reset the password for the local computer by noting a specific domain controller:

 

Reset-ComputerMachinePassword -Server “DC01” -Credential CLIENTDOMAIN\JoeBobUser

 

That’s it.  If you can think of something to add, please let us know.

 

References:

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age

 

https://techcommunity.microsoft.com/t5/Ask-the-Directory-Services-Team/Machine-Account-Password-Process/ba-p/396026

 

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1

Always Keep Them Guessing

I’m going to start our columnist-reader conversation simply, with a short but important tech practice: Password management.

Yeah, I know, that’s downright riveting. Yawn at your peril, because it’s fundamentally important to online health, safety, and sanity. My guess is, most of you haven’t stayed on top of it.

Believe it or not, even tech industry pros don’t. We all should.

Here’s a cautionary tale: In December of 2018, cyber security expert Troy Hunt found 770 million email addresses and passwords posted to a known hacker website. Worse, many of those addresses and passwords had also been involved in a separate data breach. That means that people had been hacked, knew it, and still had not changed their passwords. Duh.

First, I can’t fault anyone for making this kind of mistake, because I have. Yes, embarrassing, but true. I have been a small-business owner in the tech sector, worked for two of the largest communications companies, and currently work for a leading IT and cyber security firm. I should know better than to neglect password management, but I have.

But lucky for us, for every problem there is a solution. Well, at least this one.

Problem – Repeat passwords
We need passwords for everything, for banking, social media, medical records, to sign into devices. The more complicated they are, the harder it is to remember more than one, so some people default to using a repeat password across accounts, which is one of the worst possible mistakes to make. It’s too predictable.

There is a routine practice called “credential stuffing” where email addresses and known passwords are plugged in all over the place to see where they gain access. Our email addresses are widely known, of course, so that’s already half the equation solved. One repeated password, and you’ve just handed over the rest.

Solution – Different passwords, changed often
Simple enough. Never use the same password for more than one service, and change your passwords often. I advise setting a schedule for password changes the same way you remind yourself to change the batteries in your smoke detectors at the change of the seasons.

Problem – 17jK_7f#3b@92-!!!!
It is recommended that passwords be at least eight characters long, longer if possible. You will need to use capital letters, numbers and symbols. But each service has its own set of rules as to which characters are acceptable. This can make you want to pull out your hair.

Solution – Make sense of it
Stay away from commonplace words, because those are just too easy to figure out. So, use the numbers/symbols in place of letter. Turn the nonsense into something that makes sense. I recommend writing out a sentence and then breaking it. Come up with a phrase, say, “I like pasta.” Next, make replacements, and you get: !L1k3P@$t@. The longer and more abstract the phrase, the better.

Problem – Too many passwords
Longer, abstract passwords, changing often creates a strain on memory, and keeping paper lists isn’t a good idea.

Solution – Password managers
Store your newly created passwords in a password manager, organized and readily available. If you’re like me, your phone is never out of reach, so I recommend using an app. There are many low-cost and free options in the market. (I recommend: Sophos Mobile Security, Keeper, 1Password.) Managers give you the ability to store many passwords, and some will even prompt you to change them every 30, 60 or 90 days.

Problem – You’ve been breached
There’s little worse than getting an alert from your bank about a suspicious transaction or hearing national news about a system-wide breach. If it hasn’t happened to you yet, chances are it will.

Solution – Report it, change your security factors

If you think one or more of your accounts has been subject to a breach, I recommend immediately making the password changes above.

Next, notify the Oregon Department of Justice Consumer Protection division (www.justice.oregon.gov) and make a formal report. You can also see if your account is listed in a past or recent breach by checking the Troy Hunt online resources at www.haveibeenpwned.com.

I look forward to continuing the conversation, but for now, be careful what you click on!

Jared Swezey is Chief Technology Officer at UpTime Sciences, and advocate for technology education. He lives in Eugene.

This article first appeared in the July 2 2019 Blue Chip section of the Register Guard.