Change all my Local Admin passwords automatically...

  • Thread starter Thread starter news.microsoft.com
  • Start date Start date
N

news.microsoft.com

I need to know how to automatically change my local admin passwords.

I have AD 2000 enviornment. I'm afraid someone got ahold of my local admin
and now users will be able to configure their computers with run as.

Thanks.
 
If you use the same local admin password on a group of computers use the
"net user username newpassword" command in a batchfile that would be a
"startup" script and would be applied at next reboot of the computers. After
you configure the batch file, remove the users and everyone group from
permissions to it and give it read/execute permissions for the domain
computers group so that no one can navigate to the sysvol folder and read
the new password. If you go that route, try to do it at the OU level where
you could even move the computers to temporarily so that the local
administrator password gets changed only for that group of computers. If
servers are involved you need to change those passwords ASAP and can do it
remotely through Computer Management/local users and groups but you also
have to check the membership of the local administrators group in case some
user created and administrator account for himself.

http://support.microsoft.com/default.aspx?scid=kb;en-us;322241


You can also change user passwords remotely through the command line or in a
batch file using a utility from SysInternals called pspasswd. See the link
below for details. --- Steve

http://www.sysinternals.com/ntw2k/freeware/pspasswd.shtml
 
You can use the command "net user username new password" in a batch file to
run as a "startup" script for a group of computers in an Organizational Unit
[where you could move them temporarily] if you use the same password. After
you put that script in the startup folder be sure to remove permissions to
that file for users and everyone and add domain computers so that users can
not go to the sysvol share and read the new password. Of course you want to
change passwords on any servers involved ASAP and check their local
administrators group membership to make sure a user did not create an
account for himsef. You can use Computer Management to change passwords on
remote computers.

http://support.microsoft.com/default.aspx?scid=kb;en-us;322241

You can also change the passwords of remote computers [assuming you are an
admin on them] using the free pspasswd utility from SysInternals and can
also do it in batch file or refer to a file with computer names. That way
has the advantage of not having to wait for a reboot that would be needed
for a startup script. See the link below for more details. --- Steve

http://www.sysinternals.com/ntw2k/freeware/pspasswd.shtml
 
You can use the command "net user username new password" in a batch file to
run as a "startup" script for a group of computers in an Organizational Unit
[where you could move them temporarily] if you use the same password. After
you put that script in the startup folder be sure to remove permissions to
that file for users and everyone and add domain computers so that users can
not go to the sysvol share and read the new password. Of course you want to
change passwords on any servers involved ASAP and check their local
administrators group membership to make sure a user did not create an
account for himsef. You can use Computer Management to change passwords on
remote computers.

http://support.microsoft.com/default.aspx?scid=kb;en-us;322241

You can also change the passwords of remote computers [assuming you are an
admin on them] using the free pspasswd utility from SysInternals and can
also do it in batch file or refer to a file with computer names. That way
has the advantage of not having to wait for a reboot that would be needed
for a startup script. See the link below for more details. --- Steve

http://www.sysinternals.com/ntw2k/freeware/pspasswd.shtml
 
Back
Top