How can I set a Local User password using Group Policy Preferences in Powershell

Question

I know that this is dangerous. But I am trying to create a lab that demonstrates some misconfiguration of Active Directory.

I would like to create a Group Policy Preference that sets the password of a user. And where the password would end up being stored in Groups.xml.

I have found this video that show how this used to be done with a graphical interface. But the password fields are blocked on Windows Server 2022.

Is it possible to do this in powershell ?
Also, is it still possible on Windows Server 2022, or is it only available on older Windows Server editions ?

Answer 1

The ability to set a password via GPP was removed 10 years ago in MS14-025. Basically, existing policies can stay but are restricted to the "delete" operation if you change them, and the ability to deploy new policies has been removed. The setting itself remains for backward compatibility, but is partially disabled like you've seen

For your purposes, you could just create a valid Groups.xml file like in the image here - it just won't apply to client PCs:

from Privilege Escalation via Group Policy Preferences (GPP)

To be able to create a GPO like this via the GUI, you'll need an unpatched Windows Server 2012 R2 or older DC.