Generate password from computer name

[Klaatu]

I've searched Google's archives of this group but I'm either trying the
wrong terms or this is a unique project.

I've got some 200 workstations (running 2K and XP) in a OU where I need
to generate unique passwords for the Administrator account on each
machine. I'm thinking right now to use the workstation name as the
starting place and somehow use that and some rudimentary encryption to
generate the password. The batch program will be used when configuring
the workstation and whenever I need to look up what a particular
machine's Administrator account password is.

Hopefully someone's already done something similar that might have some
code that could get me started, because I'm not too sure how to begin at
this point.

TIA

 

[Tim Baker]

ROT13 all the way!

 

[Ray at]

Why do you want/need unique administrator passwords? That sounds like a
PITA to manage, regardless of how you do them. Just curious.

Ray at work

 

[The Unknown Engineer]

I've searched Google's archives of this group but I'm either trying the
wrong terms or this is a unique project.

I've got some 200 workstations (running 2K and XP) in a OU where I need
to generate unique passwords for the Administrator account on each
machine.

**********

Why do you want unique local admin passwords on each machine ?

Seems to me that you're getting a false sense of security from this,
and making your own life as a sysadmin more difficult ...


-- dXm
********************************
====> The Unknown Engineer <====
********************************

 

[Klaatu]

Why do you want/need unique administrator passwords? That sounds like
a PITA to manage, regardless of how you do them. Just curious.

When you use the same Administrator password on all machines:

1) If you have to tell someone the password to get into their machine, then
they know it for all machines.

2) Virii, trojans, and their ilk have a much easier time infecting all of
your machines if one is compromised.

 

[Klaatu]

ROT13 all the way!

I thought of doing something like that, but it seems a little *too* easy,
plus it's got to handle all chars that can be used in a workstation name,
not just a-z. But if anyone's got some ROT13 code to share, that would be
nice.

 

[Ray at]

Fair enough, I suppose. But if you have an algorithm that creates a
password based on the computername, someone is just as likely to learn what
that is as he is to learn what the password is, so I don't think that
passwords that can be derived from %computername% adds any security. Maybe
what you'd be interested in doing is having 2000 generate random passwords,
log the passwords to a file, burn the file to a couple of CDs, and put the
CDs in two separate dual control safes.

Where I work, all of the security measures that we have must be audited and
approved by the government every six months. All of our workstation admin
passwords are the same, and this is fine. Servers are a different story,
though.

But, wait, iIrc, you asked how to do something. You didn't ask for a debate
about whether or not to do it. So, please accept my apologies. :]

Ray at work

 

[Mike Brown - Process Manager]

I've searched Google's archives of this group but I'm either trying the
wrong terms or this is a unique project.

I've got some 200 workstations (running 2K and XP) in a OU where I need
to generate unique passwords for the Administrator account on each
machine. I'm thinking right now to use the workstation name as the
starting place and somehow use that and some rudimentary encryption to
generate the password. The batch program will be used when configuring
the workstation and whenever I need to look up what a particular
machine's Administrator account password is.

Hopefully someone's already done something similar that might have some
code that could get me started, because I'm not too sure how to begin at
this point.

TIA

This might help:

http://www.segobit.com/pbm.htm

There are a lot of programs like this, with many variations. This was a hit
off the first page of a Google search.

Side thought: Wouldn't it be easier to temporarily give the user's account
Admin access, then demote it when they're finished? Or even use RUNAS if
they need it?

 

[Herbert Kleebauer]

I've searched Google's archives of this group but I'm either trying the
wrong terms or this is a unique project.

I've got some 200 workstations (running 2K and XP) in a OU where I need
to generate unique passwords for the Administrator account on each
machine. I'm thinking right now to use the workstation name as the
starting place and somehow use that and some rudimentary encryption to
generate the password. The batch program will be used when configuring
the workstation and whenever I need to look up what a particular
machine's Administrator account password is.

Select a master password and encrypt the workstation name + version number
with your master password and any secure encryption algorithm (des, idea,..)
and use the output of the encryption (hex dump) as the administrator
password for the workstation. If you have to give away the password for
a workstation, generate a new one by incrementing the version number.

 

[Klaatu]

This might help:

http://www.segobit.com/pbm.htm

Thanks for the link. While I do see a program or two that does something
similar to generate the output I requested, and please don't take this
the wrong way, I see no batch solution presented there; hence my posting
this question to two NT/2K/XP batch newsgroups!

There are a lot of programs like this, with many variations. This was
a hit off the first page of a Google search.

Yes, if I'd wanted to buy someone's program to accomplish this goal, I
suppose it would be quite easy to do so. However, a batch solution would
not only be cheaper, but more instructive and in keeping with the spirit
of the group.

Side thought: Wouldn't it be easier to temporarily give the user's
account Admin access, then demote it when they're finished? Or even
use RUNAS if they need it?

When it is possible to use these options, believe me I do. Sometimes it
is not possible though (FE, laptop user at a hotel calls and has a
problem that needs Administrator rights).

Now, does anyone have any code they would be willing to share, or know of
any code, that might assist me in my desire to create this 2K/XP batch
program?

TIA

 

[Mark V]

Thanks for the link. While I do see a program or two that does
something similar to generate the output I requested, and please
don't take this the wrong way, I see no batch solution presented
there; hence my posting this question to two NT/2K/XP batch
newsgroups!


Yes, if I'd wanted to buy someone's program to accomplish this
goal, I suppose it would be quite easy to do so. However, a batch
solution would not only be cheaper, but more instructive and in
keeping with the spirit of the group.


When it is possible to use these options, believe me I do.
Sometimes it is not possible though (FE, laptop user at a hotel
calls and has a problem that needs Administrator rights).

Now, does anyone have any code they would be willing to share, or
know of any code, that might assist me in my desire to create this
2K/XP batch program?

Not a two-way cipher? Just (semi-)unique?

set str = %random%%computername%%random%

 

[Klaatu]

Hopefully someone's already done something similar that might have
some code that could get me started, because I'm not too sure how to
begin at this point.

Well, Physician, heal thyself, as they say. This is what I've come up
with:

001. @echo off&setlocal ENABLEEXTENSIONS
002. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
003. :: GenAdminPassword.cmd
004. ::
005. :: Given a workstation name, generate a password for the
006. :: Administrator account.
007. ::
008. :: If one argument is passed, it should be the name of a
009. :: workstation to translate to a password.
010. :: If two arguments are passed, the first should be the name
011. :: of a variable to receive the result, with the second argument
012. :: the name of a workstation.
013. ::
014. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
015. if "%1" EQU "" goto :USAGE
016. if "%2" EQU "" (set "node=%1") else (set "node=%2")
017. call :Upper unode %node%
018. call :Obfiscate onode %unode%
019. call :GenPass pass %onode%
020. if "%2" EQU "" (echo\%pass%&goto :EXITING)
021. endlocal&set %1=%pass%&goto :EOF
022. :EXITING
023. endlocal&goto :EOF
024.
025. :USAGE
026. echo\Usage: [call] %~n0 [variable] workstation-name
027. goto :EXITING
028.
029. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
030. :Upper result %string%
031. ::
032. :: Translate a string to upper case
033. ::
034. :: Args: %1 var to receive result (by ref)
035. :: %* (remainder) string to convert to uppercase (by val)
036. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
037. setlocal ENABLEEXTENSIONS
038. set cd=
039. set instring=%*
040. if "%1"=="%instring%" endlocal&set %1=&goto :EOF
041. :: remove leading space on %* param
042. if not defined cd set instring=%instring:~1%
043. :: complicated shift
044. call :upper_exec set instring=%%instring:%1 =%%%
045. set instring=%instring:a=A%
046. set instring=%instring:b=B%
047. set instring=%instring:c=C%
048. set instring=%instring:d=D%
049. set instring=%instring:e=E%
050. set instring=%instring:f=F%
051. set instring=%instring:g=G%
052. set instring=%instring:h=H%
053. set instring=%instring:i=I%
054. set instring=%instring:j=J%
055. set instring=%instring:k=K%
056. set instring=%instring:l=L%
057. set instring=%instring:m=M%
058. set instring=%instring:n=N%
059. set instring=%instring=O%
060. set instring=%instring=P%
061. set instring=%instring:q=Q%
062. set instring=%instring:r=R%
063. set instring=%instring:s=S%
064. set instring=%instring:t=T%
065. set instring=%instring:u=U%
066. set instring=%instring:v=V%
067. set instring=%instring:w=W%
068. set instring=%instring:x=X%
069. set instring=%instring:y=Y%
070. set instring=%instring:z=Z%
071. endlocal&set %1=%instring%&goto :EOF
072. :upper_exec
073. %*
074. goto :EOF
075. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
076.
077. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
078. :Obfiscate result %string%
079. ::
080. :: Translate a string using simple substitution
081. ::
082. :: Args: %1 var to receive result (by ref)
083. :: %* (remainder) string to convert (by val)
084. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
085. setlocal ENABLEEXTENSIONS
086. set cd=
087. set instring=%*
088. if "%1"=="%instring%" endlocal&set %1=&goto :EOF
089. :: remove leading space on %* param
090. if not defined cd set instring=%instring:~1%
091. :: complicated shift
092. call bf_exec set instring=%%instring:%1 =%%%
093. set "result="
094. set "char="
095. bf_loop1
096. set "result=%result%%char%"
097. if "%instring%"=="" goto bf_loop1_end
098. set char=%instring:~0,1%
099. set instring=%instring:~1,9999%
100. if "%char%"=="A" set char=%char:A=N%&goto bf_loop1
101. if "%char%"=="B" set char=%char:B=2%&goto bf_loop1
102. if "%char%"=="C" set char=%char:C=P%&goto bf_loop1
103. if "%char%"=="D" set char=%char=K%&goto bf_loop1
104. if "%char%"=="E" set char=%char:E=0%&goto bf_loop1
105. if "%char%"=="F" set char=%char:F=S%&goto bf_loop1
106. if "%char%"=="G" set char=%char:G=7%&goto bf_loop1
107. if "%char%"=="H" set char=%char:H=U%&goto bf_loop1
108. if "%char%"=="I" set char=%char:I=H%&goto bf_loop1
109. if "%char%"=="J" set char=%char:J=4%&goto bf_loop1
110. if "%char%"=="K" set char=%char:K=M%&goto bf_loop1
111. if "%char%"=="L" set char=%char:L=+%&goto bf_loop1
112. if "%char%"=="M" set char=%char:M=1%&goto bf_loop1
113. if "%char%"=="N" set char=%char:N=A%&goto bf_loop1
114. if "%char%"=="O" set char=%char:O=3%&goto bf_loop1
115. if "%char%"=="P" set char=%char=C%&goto bf_loop1
116. if "%char%"=="Q" set char=%char:Q=5%&goto bf_loop1
117. if "%char%"=="R" set char=%char:R=E%&goto bf_loop1
118. if "%char%"=="S" set char=%char:S=1%&goto bf_loop1
119. if "%char%"=="T" set char=%char:T=G%&goto bf_loop1
120. if "%char%"=="U" set char=%char:U=V%&goto bf_loop1
121. if "%char%"=="V" set char=%char:V=I%&goto bf_loop1
122. if "%char%"=="W" set char=%char:W=9%&goto bf_loop1
123. if "%char%"=="X" set char=%char:X=Q%&goto bf_loop1
124. if "%char%"=="Y" set char=%char:Y=L%&goto bf_loop1
125. if "%char%"=="Z" set char=%char:Z=X%&goto bf_loop1
126. if "%char%"=="-" set char=%char:-=Y%&goto bf_loop1
127. if "%char%"=="+" set char=%char:+=8%&goto bf_loop1
128. if "%char%"=="0" set char=%char:0=D%&goto bf_loop1
129. if "%char%"=="1" set char=%char:1=Z%&goto bf_loop1
130. if "%char%"=="2" set char=%char:2=T%&goto bf_loop1
131. if "%char%"=="3" set char=%char:3=-%&goto bf_loop1
132. if "%char%"=="4" set char=%char:4=J%&goto bf_loop1
133. if "%char%"=="5" set char=%char:5=R%&goto bf_loop1
134. if "%char%"=="6" set char=%char:6=F%&goto bf_loop1
135. if "%char%"=="7" set char=%char:7=O%&goto bf_loop1
136. if "%char%"=="8" set char=%char:8=B%&goto bf_loop1
137. if "%char%"=="9" set char=%char:9=W%
138. goto bf_loop1
139. bf_loop1_end
140. endlocal&set %1=%result%&goto :EOF
141. bf_exec
142. %*
143. goto :EOF
144. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
145.
146. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
147. :GenPass result %string%
148. ::
149. :: Translate a string to a password
150. ::
151. :: Args: %1 var to receive result (by ref)
152. :: %* (remainder) string to convert (by val)
153. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
154. setlocal ENABLEEXTENSIONS
155. set cd=
156. set instring=%*
157. if "%1"=="%instring%" endlocal&set %1=&goto :EOF
158. :: remove leading space on %* param
159. if not defined cd set instring=%instring:~1%
160. :: complicated shift
161. call :gp_exec set instring=%%instring:%1 =%%%
162. set /a result=12345
163. set /a char=0
164. set /a inc=2
165. :gp_loop1
166. set /a inc=%inc% + 1
167. set /a char=%char% ^<^< %inc%
168. set /a result=%result% + %char%
169. if "%instring%"=="" goto :gp_loop1_end
170. set char=%instring:~0,1%
171. set instring=%instring:~1,9999%
172. if "%char%"=="A" set /a char=65&goto :gp_loop1
173. if "%char%"=="B" set /a char=66&goto :gp_loop1
174. if "%char%"=="C" set /a char=67&goto :gp_loop1
175. if "%char%"=="D" set /a char=68&goto :gp_loop1
176. if "%char%"=="E" set /a char=69&goto :gp_loop1
177. if "%char%"=="F" set /a char=70&goto :gp_loop1
178. if "%char%"=="G" set /a char=71&goto :gp_loop1
179. if "%char%"=="H" set /a char=72&goto :gp_loop1
180. if "%char%"=="I" set /a char=73&goto :gp_loop1
181. if "%char%"=="J" set /a char=74&goto :gp_loop1
182. if "%char%"=="K" set /a char=75&goto :gp_loop1
183. if "%char%"=="L" set /a char=76&goto :gp_loop1
184. if "%char%"=="M" set /a char=77&goto :gp_loop1
185. if "%char%"=="N" set /a char=78&goto :gp_loop1
186. if "%char%"=="O" set /a char=79&goto :gp_loop1
187. if "%char%"=="P" set /a char=80&goto :gp_loop1
188. if "%char%"=="Q" set /a char=81&goto :gp_loop1
189. if "%char%"=="R" set /a char=82&goto :gp_loop1
190. if "%char%"=="S" set /a char=83&goto :gp_loop1
191. if "%char%"=="T" set /a char=84&goto :gp_loop1
192. if "%char%"=="U" set /a char=85&goto :gp_loop1
193. if "%char%"=="V" set /a char=86&goto :gp_loop1
194. if "%char%"=="W" set /a char=87&goto :gp_loop1
195. if "%char%"=="X" set /a char=88&goto :gp_loop1
196. if "%char%"=="Y" set /a char=89&goto :gp_loop1
197. if "%char%"=="Z" set /a char=90&goto :gp_loop1
198. if "%char%"=="-" set /a char=45&goto :gp_loop1
199. if "%char%"=="+" set /a char=43&goto :gp_loop1
200. if "%char%"=="0" set /a char=48&goto :gp_loop1
201. if "%char%"=="1" set /a char=49&goto :gp_loop1
202. if "%char%"=="2" set /a char=50&goto :gp_loop1
203. if "%char%"=="3" set /a char=51&goto :gp_loop1
204. if "%char%"=="4" set /a char=52&goto :gp_loop1
205. if "%char%"=="5" set /a char=53&goto :gp_loop1
206. if "%char%"=="6" set /a char=54&goto :gp_loop1
207. if "%char%"=="7" set /a char=55&goto :gp_loop1
208. if "%char%"=="8" set /a char=56&goto :gp_loop1
209. if "%char%"=="9" set /a char=57&goto :gp_loop1
210. set /a char=0
211. goto :gp_loop1
212. :gp_loop1_end
213. endlocal&set %1=%result%&goto :EOF
214. :gp_exec
215. %*
216. goto :EOF
217. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
218.

 

[Al Dunbar]

Fair enough, I suppose. But if you have an algorithm that creates a
password based on the computername, someone is just as likely to learn what
that is as he is to learn what the password is, so I don't think that
passwords that can be derived from %computername% adds any security. Maybe
what you'd be interested in doing is having 2000 generate random passwords,
log the passwords to a file, burn the file to a couple of CDs, and put the
CDs in two separate dual control safes.

IMHO, that is the best way to manage this.

Where I work, all of the security measures that we have must be audited and
approved by the government every six months. All of our workstation admin
passwords are the same, and this is fine. Servers are a different story,
though.

Ditto here for workstation passwords in an OU. Servers *are* a different
story, as I have no idea what our server's admin password is.

But, wait, iIrc, you asked how to do something. You didn't ask for a debate
about whether or not to do it. So, please accept my apologies. :]

Unnecessary, imho, as the good advice is far more valuable than a mechanical
answer to a question...

man just leaving his lawyer's office: "Dang, the parking meter will run out
before I even catch an elevator - is there a quicker way to get down to
street level?"

lawyer: "Sure, just go out this window..."


/Al

Ray at work

 

[Al Dunbar]

When you use the same Administrator password on all machines:

1) If you have to tell someone the password to get into their machine, then
they know it for all machines.

Admin passwords should never be given out to users - only IT staff should
know them. Perhaps not all of them, either.

/Al