Script to change local admin password

Hi, a merge of these two articles will do the job for you:

How Can I Determine if the Local Administrator Account has been Renamed on a Computer?
http://www.microsoft.com/technet/scriptcenter/resources/qanda/jul05/hey0722.mspx

How Can I Change the Local Administrator Password on All My Computers?
http://www.microsoft.com/technet/scriptcenter/resources/qanda/jul07/hey0703.mspx

Regards,

Rob.

Thanks guys. Unfortunately, I noticed, in the Microsoft article on how to determine if the local admin account has been renamed, that they state that the script won't work in Windows 2000? However I can remedy that by using Group Policy to rename the admin account. The other problem is that both articles you guys linked seems to require that the script be run manually by myself. The problem I have with that is that the users I work with tend to shutdown their computers even when instructed not to. That's why I would like to run the script as a startup script. After re-reading my original post I see that I failed to make that clear, so I apologize. However, it looks like I could take out several of the lines in the Microsoft script you sent me Rob and tailor it to my needs, is that correct? If I'm correct, can I just use the following lines in a startup script and will it work? What would I have to do with the "strComputer" variable? Will it work if I just remove that or do I have to use the computer name as well? If I'm correct, if I don't specify a domain or local computer name doesn't Windows assume a local account? If I need to use the computer name, how do I program VBScript to fetch the name and put it in the strComputer variable?. Thanks.

    Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
    objUser.SetPassword "x%tY7iu8%4f"

Would the "net user administrator password" command work as a startup script in a GPO instead of a logon script? This way I wouldn't have to leave an admin password in a batch file? My users aren't local admins.

Thanks guys, and thanks to shift-3 because I was concerned about leaving a password in a script but wasn't sure what to do. I'm not to scripting and am trying to soak up as much as I can. Anyhow, I'm going to try these suggestions and see which one works best. After I do this, I'll assign points to everyone who helped me. Thank you.

Shift-3, I used the Microsoft Script Encoder as you recommended, but when I executed it I got the error message shown in the attachment. The script will not run as part of a Web page, it's going to be a startup script deployed via a GPO. I tested the script unencrypted and it works just fine, however, after I encrypted I get the error after I try to execute it. Can it be run in an encrypted state like that or must it be run unencrypted for it to work? Thanks.
error.JPG

I take it back.  The Script Encoder won't work for this purpose.

Is there anyway to encrypt this or would I have to use something to compile it into an .exe file so that snoopers can't read it?

OK, one other way to hide the password (although you must make sure that users cannot "write" to the script itself), is to use this:

    If WScript.Arguments.Count  = 1 Then
       strComputer = "."
       strAdminUsername = "Administrator"
       Set objUser = GetObject("WinNT://" & strComputer & "/" & strAdminUsername)
       objUser.SetPassword WScript.Arguments.Item(0)
   End If


and then when you actually apply the script in the GPO console, you have two boxes, one for the script name, another for parameters.  You can type the password here as a parameter and the script will pick it up when it runs.

I can't find any supporting evidence to say this is *not* secure, but as long as users cannot write to the login script, they can't change it to expose the password.  I guess the only other way they could find out the password is if they were running some sort of sniffer that can identify the command line that the script ran with.....

Shift-3, thanks for the GPO path....

Regards,

Rob.

Actually, shift-3's suggestion of using the Microsoft Script Encoder does work, I just wasn't smart enough to realize that the output file needed to have a .vbe extension and not a .vbs extension. However, it's always good to know how to do something more than once. I'm going to close this problem and accept multiple solutions because I learned something from each of you. Thank you everyone.

OK, yeah, forgot the VBE thing....I've been stung by that before too!

Rob.

All solutions and responders were very helpful to me in this issue.