Group Policy Preferences – Local Users and Groups password behavior changed : MS14-025
When it comes to Windows Active Directory environment system administrators needs to deploy Domain users as Local computer admins via Group Policy. You can simply do that in several ways like using Restricted Groups and Local Users and Groups section in the Windows settings.
Here I’m more focusing on the local users and Groups in Windows settings | Control Panel section. You can simply create a GPO , edit and go to “Preferences | Control Panel | Local Users and Groups” as shown in below.
You can simply administer these pushed local account as a normal domain user account, you can Create, Replace, Update, Delete accounts and you can change user account associated attributes as a normal domain account for these local accounts.
But Microsoft has decided storing passwords (CPassword attribute) in Group Policy as a security breach and issued a patch (MS14-025) to disable this option in Windows. Once you install this hotfix these password fields will be grayed out.
Also below warning message will be displayed and will notify the security breach when you apply the “New Local User Properties”
As a security guidance finally Microsoft is blocking the feature which stores the passwords in Group Policy in their own system. However this patch is not automatically push in to the Server, this feature will be disabled only if you explicitly install it on your system.
This fix is available for all the available group policy consoles and can be found in here.