How to add local admin acct. across a network?

[Clayton Sutton]

Hey everyone,

I have two problems. First let me say that we are running a Windows 2003
Domain and we have about 2000 workstations. I just came on board as the new
network administrator. When the old network admin. deployed all the
workstations he did not add an AD acct. as a local admin to any of the
workstations.

Thus, problem #1:

Anyone know of a way to add an AD acct. to each and every workstation and
make it a local admin?


Problem #2:

Anyone know of a product where we can change ALL of the local admin
passwords across the entire organization?


Thanks for any and all input.


Clayton

 

[Pegasus \(MVP\)]

Hey everyone,

I have two problems. First let me say that we are running a Windows 2003
Domain and we have about 2000 workstations. I just came on board as the new
network administrator. When the old network admin. deployed all the
workstations he did not add an AD acct. as a local admin to any of the
workstations.

Thus, problem #1:

Anyone know of a way to add an AD acct. to each and every workstation and
make it a local admin?


Problem #2:

Anyone know of a product where we can change ALL of the local admin
passwords across the entire organization?


Thanks for any and all input.


Clayton

Here is a way that will resolve both issues.

1. Compile a list c:\PCs.txt of all NetBIOS names.

2. Create the batch file \\SomeServer\SomeShare\SomeFolder\xxx.bat.
Store it in a location that is accessible to domain admins only. Delete
it immediately after use.
@echo off
net localgroup administrators | find /i "YourDomainName\domain users" &&
goto :eof
net localgroup administrators "YourDomainName\domain users" /add
net user administrator SomePassword

3. Run this command from your console:
for /F 'tokens=*" %* in (c:\PCs.txt) do psexec "\\%*" -u
YourDomain\administrator -p YourPassword
\\SomeServer\SomeShare\SomeFolder\xxx.bat

It is possible to refine this method so that it only contacts
PCs that are on-line, or that it skips PCs that have already
been dealt with, or that it maintains a log of the response
from each PC.

You can get psexec.exe from www.sysinternals.com.

 

[Jaap de Koning]

Wouldn't it be easier to use a security template?

Create a new template, and just add a domain user to the local
administrator group.

For changing password I would like to recommend you to the following
thread:

http://groups.google.com/group/micr...local+password+remote&rnum=3#27464b4a15f9fa16


good luck!

 

[Norbert Fehlauer [MVP]]

Clayton Sutton wrote:
Hi,

Anyone know of a way to add an AD acct. to each and every workstation
and make it a local admin?

Just use a GPO.
http://support.microsoft.com/kb/228496/en-us
http://groups.google.com/group/micr...e_frm/thread/9c0c6c189ad23d2/c85ac7f91d6710ff


HTH
Norbert

 

[Paul Williams [MVP]]

1. I would either look at Restricted Groups, Start-up script or a script
that either did all of this for me or utilised CUSRMGR.

This article explains how to do the first two points I made:
-- http://www.msresource.net/content/view/45/47/


2. To achieve this point earlier this year, I used the following:

Note. I was intending to add additional functionality such as rollback,
etc. but had to skip some of it due to the need to get this done. Therefore
some aspects of the code might not do much:

Please watch out for the line wrap.

' ***************************************************************
' * ResetAllPasswords.vbs *
' * *
' * Paul Williams, msresource.net, January 2006 *
' * *
' * Script pulls all computer accounts from the [default] *
' * domain and resets the local administrator password on each *
' * one. Some of the computers might be offline, or there may *
' * no longer be an actual computer for the computer object in *
' * the directory. Therefore, a tab-separated file is created *
' * indicating success or failure, as well as the debug log. *
' * *
' * Success is measured by the script not being in a state of *
' * error on the current iteration of the record set. *
' * *
' * Filenames are constants, and the password is a variant *
' * defined if and when the record set is successfully *
' * returned. *
' * *
' * Version: 1.1.1. *
' * Last updated: 21-01-2006 *
' * Last updated by: Paul Williams *
' * *
' ***************************************************************
Option explicit
'On error resume next

' define constants
const bDebugFlag = true
const LOG_FILE_NAME = "ResetAllPasswordsLog.txt"
const ROLLBACK_LOG_NAME = "ResetAllPasswordsRollback.txt"

' define variants
dim oRootDse,oConnection,oCommand,oRs
dim sBase,sFilter,sAttrs,sScope,sQuery
dim oFso,logf,log2

' instantiate objects
set oFso=createObject("Scripting.fileSystemObject")
set logf=oFso.createTextFile(LOG_FILE_NAME,true)
set log2=oFso.createTextFile(ROLLBACK_LOG_NAME,true)
set oRootDse=getObject("LDAP://RootDSE")
set oConnection=createObject("ADODB.Connection")
set oCommand=createObject("ADODB.Command")

' configure connection and command
oConnection.provider="ADsDSOObject"
oConnection.open"Active Directory Provider"

' configure command to use active connection
oCommand.activeConnection=oConnection
'set oCommand.activeConnection=oConnection

' define filter
sBase = "<LDAP://"&oRootDse.get("defaultNamingContext")&">;"
sFilter = "(objectCategory=computer);"
sAttrs = "distinguishedName,cn,whenChanged,whenCreated;"
sScope = "subtree"

sQuery = sBase&sFilter&sAttrs&sScope
debug"ADO Query : "&sQuery


' set command properties
oCommand.commandText =sQuery
oCommand.properties("Page Size") =100
oCommand.properties("Size Limit") =10000
oCommand.properties("Timeout") =30
oCommand.properties("Cache Results") =false

' execute command
set oRs=oCommand.execute

' test to see if oCommand executed
if(isNull(oRs))then
' do nothing, as query yielded no results
sResult="ERR_RECORD_SET_IS_NULL"
debug sResult
else
dim dn,cn,whenChanged,whenCreated
dim sProvider,sPassword,sResult
dim oUser

sPassword="aC0mpl3xP@55w0rd!"
debug"Password : "&sPassword

log2.writeLine("Computer"&vbTab&"Status")

' check to see there are records
if(not oRs.eOF)then
oRs.moveFirst

' iterate record set
while not oRs.eOF
dn=oRs.fields(0).value
cn=oRs.fields(1).value
whenChanged=oRs.fields(2).value
whenCreated=oRs.fields(3).value

debug"dn : "&dn
debug vbTab&"cn : "&cn
debug vbTab&"whenCreated : "&whenCreated
debug vbTab&"whenChanged : "&whenChanged

if(dn<>"" and cn<>"")then
sProvider="WinNT://"&cn&"/Administrator"
debug vbTab&"provider : "&sProvider

set oUser=getObject(sProvider)
oUser.setPassword(sPassword)

if(err.number<>0)then
' error thrown. assume failure
debug vbTab&"error thrown. assume failure"
err.clear
log2.writeLine(cn&vbTab&"Failure")
else
' no error thrown. assume success
debug vbTab&"password successfully set"
log2.writeLine(cn&vbTab&"Success")
end if
end if

debug""

oRs.moveNext
wend
else
sResult="ERR_RECORD_SET_IS_EMPTY"
debug sResult
end if
end if



' ***********************************************
' debug(string messageToEcho)
'
' Sub echos the passed string.
'
' Sub used for outputting all debugging
' information to the screen/ console.
'
' bDebugFlag is a constant. Set to true for
' debugging info. Set to false when in
' production.
'
' ***********************************************
Private Sub debug(sMessage)
if(bDebugFlag)then
wscript.echo sMessage
if(sMessage<>"")then
logf.writeLine(date&vbTab&time&vbTab&sMessage)
else
logf.writeLine(sMessage)
end if
end if
End Sub

 

[Pegasus \(MVP\)]

Yes, it would indeed!

 

[Clayton Sutton]

Thanks Jaap for the input!

Can you point me in the right direction to learn how to create a security
template?


Clayton