Passwords in Group Policy Preferences

Have you ever wanted to configure a preference item to include a specific user name and password? You can do so in several types of preference items, but if you are working in a high-security environment you should first consider the security ramifications of embedding a user name and password in a preference item.

Where can you use passwords?

  • Local User preference items: When you create or modify a local user account, you can specify both a user name and a password for the account.
  • Data Source preference items: If a user name and password are required to access the data source, you can provide them in the preference item. If you do so, end users to whom the preference item applies can access the data source regardless of their own permissions, but only if the specified account has the necessary permissions.
  • Mapped Drive preference items: You can specify the user name and password to be used to connect to a mapped drive. If you do so, end users to whom the preference item applies can access the mapped drive regardless of their own permissions, but only if the specified account has the necessary permissions.
  • Scheduled Task or Immediate Task preference items: You can configure a scheduled task to run under the security context of a specified user (allowing the task to run regardless of whether that user is logged on), by selecting the Run as check box and providing a user name and password.
  • Service preference items: You can modify which account the service runs under by selecting Local System account or by selecting This account and specifying a user name and password.

For the user name in a Data Source, Mapped Drive, Scheduled Task, Immediate Task, or Service preference item, you can specify a local user account on multiple computers using the format .\UserName, or a domain account using the DomainName\UserName format.

Are passwords in preference items secure? Passwords in Group Policy preference items are protected using 256-bit AES encryption. In the XML source code of a preference item, the password does not appear as clear text; it is encrypted. The client reads the XML, decrypts the password, and implements the configuration.

Although passwords in Group Policy preference items are encrypted, they are not completely secure and therefore are not appropriate for situations requiring high security. Consider the security requirements of your situation, and use discretion when deciding whether to include passwords in preference items.