Script for changing *local* admin passwords?

I need to add something to the computers everyone logs into on the network. In order to get some consistency/complaince with internal policy, I need to be able to modify the XP administrator account's password.

Unless you're physically at the machine, you can't change it. And if you change it while you're logged in as a domain admin, you need to follow AD policy for passwords. We're looking to apply a password that doesn't follow AD policy, but we can't log into the admin accounts on all the machines because they've been applied inconsistently in the past. (My job to standardize them.)

Is there a script that can be run to configure this? Can it be added to the domain login script? (ie, "map these drives for userid with x permission... local admin password change to xxxxx ") Or is it a script that would have to be run locally by a network admin?

I'm just spitballing ideas because I don't know what the best way to do this would be. Scripting seems like the most practical (and manageable in an enterprise environ, instead of going to everyone's comp, just remote in and run the script) solution... But I don't know how to script. Anyone have one handy?

 

My problem is that some of these computers have admin passwords set that no one remembers. I can't just sit down at the machine, log in as administrator and change the password. We're locked out as these passwords are, effectively, lost in time. Logging in with my network admin password gave me the message that I have to follow policy that's been set, but the password we want to standardize doesn't conform with the network logins we require of our users.

I know I have the ability and time to remote into every machine and run a quick script from the network. Visiting all our sites and hitting every computer manually... not so much. This is a short term project that needs to be completed sooner rather than later - which is why I came asking for a script. I can't think of a faster and more efficient way to push this change down on each of our workstations.

I know it's a tall order, but I'm just hoping someone saw or has a script to do just this.

 

Maybe take a look here.

 

May be it will work for you:

Script:

---------------------
"@echo off

NET USER Administrator %1

"
--------------------

Parameter %1 is supplied in the Script section of relevant GPO and actually is a password. You should not need to know the previous password - just reboot your PCs (if, of course, you place this script in the StartUp section of your GPO).

Michael

 

AMDACE - Since you found it, maybe you can help me out. I created a text file with a single test computer on it, before I went gung-ho and attempted the whole domain at once. (Good thing, too!)

The log generated the following error:
1/22/2010 12:08:27 PM Starting script...
1/22/2010 12:08:30 PM Error setting password for COMPUTERNAME\Administrator ---
1/22/2010 12:08:30 PM Ending script...

And that's all it gave me. I've verified that the computer is on, connected to the domain (I'm logged in remotely) and that the administrator account is named "Administrator" (it is). Did I miss changing something in the script that I needed to?

 

Hrm... just going back through it...

Set objUser = GetObject( "WinNT://" & strComputer & "/Administrator, user ")

Strikes me as interesting. The target machines are XP (sp3), and the scripts was written in '04, with an eye towards NT and 2000 machines. Do I need to change WINNT into WINDOWS? I'm not familiar enough with this syntax to want to try it without checking with someone first.

 

MichaelF was on the right track.
Check out this link.
It's kind of old, but I think it will help you accomplish what you need to do through gpo.

 

That last thread you linked me to was mostly over my head. I'm looking for a really simple answer, and I'm hoping I found it. I just need someone to point me to the right syntax.

Code:

Set objOU = GetObject( "LDAP://OU=Finance, DC=fabrikam, DC=com ")
objOU.Filter = Array( "Computer ")

For Each objItem in objOU
    strComputer = objItem.CN
    Set objUser = GetObject( "WinNT://" & strComputer &  "/Administrator ")
    objUser.SetPassword( "i5A2sj*! ")
Next

This calls every computer in an OU and re-writes the password. What if I have a text file with the computer names on them from the domain, because I only want to reset specific ones?

This is an example of how to do it on an individual computer, where it looks like you need to know the computer name. Would I just change 'atl-ws-01/kenmeyer' to '" & strComputer & "/Administrator "' to have a script I can run on every machine that I log onto as an admin?

Code:

Set objUser = GetObject( "WinNT://atl-ws-01/kenmyer ")
objUser.SetPassword( "i5A2sj*! ")

 

@ Michael F --

I tried your NET USER command in a batch file on a test machine in the domain. I got the error that the password does not meet policy requirements.

Is there a way to bypass policy requirements when I'm logged on remotely as a domain admin? The only way I can think of it working now would be to log onto the computer locally - which defeats the goal of doing this remotely - and run the script.

Is that what has to be done? Or by putting it in our login script (we already have one to map user drives based on the OU a user is in), we won't get that message, and a change in local administrator password will ignore policy that way?

 

Maybe PsPasswd v1.22?

Sysinternals has many utilities that may help you.

Sysinternals Suite

 

CUISTech, you can change the AD Policy for LOCAL user accounts located in a separate OU!

You just should create a new OU (if it is not already exist in your AD environment), move all required computer accounts to it, create the GPO with LESS restrictive Password Policy and link this GPO to the new OU.

As a result all computer accounts located in this new OU will have another LOCAL Password Policy and you would be able to run my script for computers in this OU without errors.

 

NOTE: Originally sent a PM to Michael F, but thought better of it and will post my update/question here.

Boss likes the idea of doing it all at once... So, I'm following your suggestion of putting it in group policy, to guarantee that the changes are passed down (versus pushing it down all at once, and missing whoever isn't turned on).

. . .

I've never done this before, so I need to walk through it and you tell me if I'm wrong.

Write a .vbs file that contains ONLY:

Code:

@echo off

NET USER Administrator %1

Then I save that file to C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup on my PDC.

Open gpedit.msc, go to Computer Configuration > Windows Settings > Scripts (Startup/Shurtdown) > Startup

In the window that opens, I use my "password.vbs" file path where it asks for script name (full path, or just "password.vbs? ") and type the new password in where it says Script Parameters, then click okay, and save/exit out of everything.

And then, the next time a computer in my AD reboots, it'll be given the new password? No matter who logs into it?[/QUOTE]

 

You will need to add the script to the Startup script folder of the the proper domain policy.
When you get to the window to add the startup script, click add and then click the dropdown at the top. That will you show the path to the proper location. Once you have the script copied to that path, click add and it will show up.

<edit> Clicking the show files button will also give the proper path.

 

1) Write a .CMD (not a VBS!) script:

@echo off

NET USER Administrator %1

2) Save it to any shared folder (not only to C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup) on your PDC

3) "Open gpedit.msc, go to Computer Configuration > Windows Settings > Scripts (Startup/Shurtdown) > Startup" - it's ok and add

this script to the new GPO(I press "Browse" in the "Script name" field and pick this .cmd file up from the shared folder in Entire

Network), so in "Script Name" field should be somthing like this: \\pdc\Scripts\LocalAdmin.cmd

4) In "Script Parameters" field type your password - the GPO now is ready to be deployed.

5) Link this GPO to the OU with relevant computer accounts

6) Reboot those PCs, it's not nesessary to log into them - the new password should have already be applied to their local administrators' accounts.

7) I've got a script that checks if this script has been applied or not, - to make sure all your PCs are processed. I can send it to you if you need it (my email should be in your PM ).

 

We ended up going down the route of "Policy > Computer Configuration > Administrative Templates > System > Logon > Run these programs at user logon" which is simply how the big man wanted it. Works like a charm, too.

How can I make the batch file silent, though?

Using a .reg file, I could type regedit /c/s \\<server>\<target file>, but I haven't been able to find anything to confirm that it would work for a batch file.

 

" "Policy > Computer Configuration > Administrative Templates > System > Logon >" - it's not here!

I use 2 GPOs: the first GPO ( "AdminPasswords ") is applying a password changing script in "Policy > Computer Configuration > Windows Settings -Scripts - Startup" and the second GPO (AdminPassCheck) applying the checking script (it should be in your Private Messages) in "Policy > User Configuration > Windows Settings - Scripts - Logon ".

The "AdminPasswords" GPO is applied to the OU with computer accounts, the "AdminPassCheck" GPO is applied to the OU eith user accounts.

If you give me your e-mail in PM I'll send you the print-screens of gpo's settings.

P.S. These scripts are absolutely transparent for users. Although the second (checking) script is applying after "ctrl+alt+del" it's not (or, at least should not be) visible to users.