Synchronize local administrator passwords using Group Policy

[Chip Andrews]

I've seen some refereces to sites such as:

http://web.mit.edu/is/topics/windows/server/winmitedu/extensions.html#rootpass

who claim to have custom adm templates to achive this. Does anyone have
any idea HOW they are doing this or where I can get a copy of one of
these administrative templates? MIT has not been forthcoming but I hate
to re-invent the wheel if someone else knows how they are doing this.

(Yes - I know the password will be readable by domain users - this is
mostly for educational purposes)

Thanks
Chip

 

[Phil]

You can change the local admin password with a line in a startup script:

net user administrator %1

Put the password in the "Parameters" box for the startup script.

 

[Andrew Mitchell]

Thanks Phil - that is currently how I have implemented it. However, the
MIT approach "appears" to be more elegant. For starters, the "script"
approach you mentioned only takes effect when the machine is restarted.
This is not desireable if you have machines that have uptimes in weeks
and months. You want something that will update the local admin
passwords in the GP update window.

My primary reason for inquiry is HOW are they doing this since it
doesn't appear to be via a startup script or other "shell" mechanism.

You don't know what they have loaded on their OS. They could have a service
installed that periodically reads a registry key (set by the GP) to determine
whether or not to reset the local admin password and what to set it to.

Such a service would be quite simple to write, could be distributed by
another GPO or built into the OS image, and would do exactly what they have
described.