Local Admin Password change script for Domain PC's

[Barkley Bees]

Hi all, I have a simple script I want to run on all client PC's (all clients
are XP Pro) in our 2003 Active Directory. It will be used to change the
local admin password for all PC's in our single domain Active Directory:

----------------------------------------------------------
Set WshShell = WScript.CreateObject("WScript.Shell")
WSHShell.Run "Net User administrator password
Set WSHShell = Nothing
----------------------------------------------------------

*note: "password" is replaced by the actual password we will be using in the
encoded script.

I have encoded it using Microsoft's Windows Script Encoder so it is now a
..vbe extension file and it appears to be working when running it manually.
My question is, what would be the most effective way to run this on client
PC's:

- Call to it "password.vbe" from logon script.
- Group Policy start up script (Computer Configuration -> Windows
Settings -> Scripts -> Startup).
- SMS 2003 package.
- Other options?

Appreciate and advice. Thanks.

 

[Florian Frommherz [MVP]]

Howdie!

Hi all, I have a simple script I want to run on all client PC's (all clients
are XP Pro) in our 2003 Active Directory. It will be used to change the
local admin password for all PC's in our single domain Active Directory:

----------------------------------------------------------
Set WshShell = WScript.CreateObject("WScript.Shell")
WSHShell.Run "Net User administrator password
Set WSHShell = Nothing
----------------------------------------------------------

The question arose a few times here in the newsgroups. There are various
suggestions, I guess you should find a few of them on google groups or
the forums search. While I'm actually not aware of how good the
"encoding" of the script will prevent your folks from trying to crack it
and steal the password, I'd not use a script to change the password.
I've found pspasswd very useful:
http://www.microsoft.com/technet/sysinternals/miscellaneous/pspasswd.mspx

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

 

[Richard Mueller [MVP]]

Howdie!

Hi all, I have a simple script I want to run on all client PC's (all
clients are XP Pro) in our 2003 Active Directory. It will be used to
change the local admin password for all PC's in our single domain Active
Directory:

----------------------------------------------------------
Set WshShell = WScript.CreateObject("WScript.Shell")
WSHShell.Run "Net User administrator password
Set WSHShell = Nothing
----------------------------------------------------------

The question arose a few times here in the newsgroups. There are various
suggestions, I guess you should find a few of them on google groups or the
forums search. While I'm actually not aware of how good the "encoding" of
the script will prevent your folks from trying to crack it and steal the
password, I'd not use a script to change the password. I've found pspasswd
very useful:
http://www.microsoft.com/technet/sysinternals/miscellaneous/pspasswd.mspx

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Another option is a VBScript program that binds to the local Administrator
user object and uses the SetPassword method to change the password. The
advantage of this is that it can be done remotely, from your PC, as long as
you have connectivity and administrator privileges on the remote computer.
If you are a member of the Domain Admins group you should be a member of the
local Administrators group on the remote computers. You could run the script
once for each PC, specifying the NetBIOS name of the computer, or read the
names from a text file and loop through the computers. For one computer:
=========
Option Explicit
Dim strComputer, objAdmin, strPassword

strPassword = "xzy213q"
strComputer = "west241"
Set objAdmin = GetObject("WinNT://" & strComputer & "/administrator,user")
objAdmin.SetPassword strPassword
=========
To read a text file of computer NetBIOS names you could use code similar to:
==========
Option Explicit
Dim strComputer, strPassword, objAdmin, strFile, objFSO, objFile
Const ForReading = 1

strPassword = "xzy213q"

' Open text file of computer names.
strFile = "c:\scripts\computers.txt"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strFile, ForReading)

' Read the file.
Do Until objFile.AtEndOfStream
strComputer = Trim(objFile.ReadLine)
' Skip blank lines.
If (strComputer <> "") Then
' Bind to local Administrator user on remote computer.
' Trap error if computer not available.
On Error Resume Next
Set objAdmin = GetObject("WinNT://" & strComputer _
& "/administrator,user")
If (Err.Number <> 0) Then
Wscript.Echo "Unable to connect to " & strComputer
End If
On Error GoTo 0
' Reset password.
objAdmin.SetPassword strPassword
End If
Loop
objFile.Close
=========
In the above I trap the possible error if the computer is not available.

 

[Baboon]

Are you aware of the new Group Policy Preference settings?

You can change the local Admininstrator password very easily through GPMC
for all computers in the desired scope of management. We have started using
this in my organization and it has worked like a charm. You would just need
to make sure all the XP machines have the Windows 2008 Client Side Extensions
installed, either via Windows Update or a startup script (ironically). We
are using a startup script so that we can be certain the CSEs are getting
installed. I'll find the site from which I obtained the script if you need
it.

 

[Ken Aldrich]

For a script-less solution you could try DSRAZOR for Windows to bulk reset
local administrator passwords. It is not a free utility, but it is reliable
and easy.
You can run the applet from your workstation (logged in with sufficient
credentials) and select all of the machines you want to update. Type in the
new password and press OK. DSRAZOR will update the password on those
machines. It will also keep a log of successful updates - this way you can
keep track of which machines were not updated (turned off, not on the
network at the time, etc).

Some of the scripting solutions mentioned in this thread work just great and
are a good fit for some people, but if we've found that many people like the
ease of use a supported utility can provide.

www.visualclick.com/?source=NGwin2KAD

 

[Barkley Bees]

Thanks for your advice Baboon. I would assume though that our DC's would
then need to be running 2008, correct? Unfortunately we are not planning to
upgrade our domain until next year if this is the case.

From what I can see there is an update available CSE update for both XP and
Server 2003 so possibly this can be done without needing 2008 DC's? If we
can do this with our existing 2003 domain that would be great. Please let me
know more about this.

Update:

I found the below which states that you can change the local account
passwords and add/remove users from groups. If we can do this it would be
great as it would allow us to add some of our administrative groups to the
local adminstrator group on the client PC's.

http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part3.html

 

[Florian Frommherz [MVP]]

Howdie!

From what I can see there is an update available CSE update for both XP and
Server 2003 so possibly this can be done without needing 2008 DC's? If we
can do this with our existing 2003 domain that would be great. Please let me
know more about this.

Yah, you can do that. All you need is a Windows Vista machine with RSAT
(Remote Server Administration Toolkit) installed. Also, the CSEs must be
installed on the target/client machines, that's all.

I found the below which states that you can change the local account
passwords and add/remove users from groups. If we can do this it would be
great as it would allow us to add some of our administrative groups to the
local adminstrator group on the client PC's.

http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part3.html

The article is correct, you can do that with exact that functionality in
Preferences.

cheers,

Florian

 

[Barkley Bees]

Howdie!

From what I can see there is an update available CSE update for both XP
and Server 2003 so possibly this can be done without needing 2008 DC's?
If we can do this with our existing 2003 domain that would be great.
Please let me know more about this.

Yah, you can do that. All you need is a Windows Vista machine with RSAT
(Remote Server Administration Toolkit) installed. Also, the CSEs must be
installed on the target/client machines, that's all.

I found the below which states that you can change the local account
passwords and add/remove users from groups. If we can do this it would be
great as it would allow us to add some of our administrative groups to
the local adminstrator group on the client PC's.

http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part3.html

The article is correct, you can do that with exact that functionality in
Preferences.

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Thanks for the clarification Florian! This sounds fantastic. How big of an
ordeal is this in terms of integrating into an existing domain with existing
Group Policies? Is it is simple as it sounds:

- install KB943729 to Server 2003 DC's.
- configure new Group Policy preferences from Vista client PC w/ RSAT
installed or 2008 member server.
- install KB943729 to all client machines (via script, SMS or WSUS when it
becomes available).

Does Microsoft have any whitepaper information on this? The "Group Policy
Preferences" doc was quite informative and tantalizing.
http://www.microsoft.com/downloads/...3f-6f01-4610-9d6e-f6e0fb7a0790&displaylang=en

 

[Florian Frommherz [MVP]]

Howdie!

Thanks for the clarification Florian! This sounds fantastic. How big of an
ordeal is this in terms of integrating into an existing domain with existing
Group Policies? Is it is simple as it sounds:

- install KB943729 to Server 2003 DC's.
- configure new Group Policy preferences from Vista client PC w/ RSAT
installed or 2008 member server.
- install KB943729 to all client machines (via script, SMS or WSUS when it
becomes available).

Yes, those steps seem sufficient to me. You can summarize it to two
steps: Install the CSEs on the clients and set up a management station
with Vista w/ RSAT or 2008. That's all.

For the CSE installation a few things:
- there's no MSI file to install Preference-CSEs :-( (that sucks as you
could have simply deployed it with Software installation). So it's
scripting time or WSUS deployment need.
- Windows Server 2008 already has those CSEs on board. No need to update
those.
- There's no Preference-CSE pack for Windows 2000. That's not supported.

Does Microsoft have any whitepaper information on this? The "Group Policy
Preferences" doc was quite informative and tantalizing.
http://www.microsoft.com/downloads/...3f-6f01-4610-9d6e-f6e0fb7a0790&displaylang=en

Hum, there's no whitepaper on setting up clients for preference-use
afaik. Preference-docs are rare these days. Maybe you can find use in
the Preference FAQ:
http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/preferencesfaq.mspx

The Group Policy Survival Guide might also provide you some links to
further information on this ( - tape it to your wall!

http://download.microsoft.com/downl...-b2508e0eccf3/Group Policy Survival Guide.pdf

cheers,

Florian

 

[Baboon]

I have been using the script which can be dowloaded from the link on this page:
http://heidelbergit.blogspot.com/2008/03/how-to-install-gpp-cses-using-startup.html

I first found out about the script from Rytis's post to this thread:
http://www.microsoft.com/communitie...8cdf&mid=ad83917f-89cf-479c-b645-fc97c79b3bb3

I went with that script as a machine startup script instead of relying on
WSUS or MS Update because of the XML Lite prerequesite, and because it seemed
in testing that some machines that needed the CSEs weren't getting them, even
when pointing to a WSUS server that had them approved appropriately.

That said, it seems that the recently (last two weeks or so) released
versions of the CSEs are now getting installed via WSUS on machines that
weren't getting them before. Maybe someone can confirm that?

Hope this helps.

Howdie!

From what I can see there is an update available CSE update for both XP
and Server 2003 so possibly this can be done without needing 2008 DC's?
If we can do this with our existing 2003 domain that would be great.
Please let me know more about this.

Yah, you can do that. All you need is a Windows Vista machine with RSAT
(Remote Server Administration Toolkit) installed. Also, the CSEs must be
installed on the target/client machines, that's all.

I found the below which states that you can change the local account
passwords and add/remove users from groups. If we can do this it would be
great as it would allow us to add some of our administrative groups to
the local adminstrator group on the client PC's.

http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part3.html

The article is correct, you can do that with exact that functionality in
Preferences.

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Thanks for the clarification Florian! This sounds fantastic. How big of an
ordeal is this in terms of integrating into an existing domain with existing
Group Policies? Is it is simple as it sounds:

- install KB943729 to Server 2003 DC's.
- configure new Group Policy preferences from Vista client PC w/ RSAT
installed or 2008 member server.
- install KB943729 to all client machines (via script, SMS or WSUS when it
becomes available).

Does Microsoft have any whitepaper information on this? The "Group Policy
Preferences" doc was quite informative and tantalizing.
http://www.microsoft.com/downloads/...3f-6f01-4610-9d6e-f6e0fb7a0790&displaylang=en

 

[Matt Maslowski]

Hey Barkley...

I would recommend you look at the solution that was developed to address any
type of security efforts for local administrator passwords -
www.autocipher.com.

This is an agentless password management solution that I've used in the past
.....works like a charm.

Regards,
Matt