Progamatically review local users, find default (built in) administrator, change the username, then change the password

Posted on 2003-03-07
Medium Priority
Last Modified: 2013-12-04
Regarding administrator accounts on local machines that are part of a mixed NT/2000 domain.

Currenty I am pushing an VB program using SMS that simply uses cusrmgr to rename the local administrator then changes the password.  I have some concerns though.

1)  I am cannot verify that "Administrator" is the built in administrator - i.e. someone renames it.
2)  There is no error checking, I have no idea if I am successfull or not.
3)  Some instances of renameing are occuring, but the password remains the older password.

I would like to do the following:

1)  List all users in the "Local Administrators" group for each client computer
2)  Find the built in admin (read that it can be id with sid ending in 500, but this is not always true)
3)  Change the username of the built in administrator
4)  Change the password of the built in administrator
5)  Handle/report errors
6)  Write a file of all users in "Local Administrators" group.

Any help would be appriciated.
Question by:davidstickelman
LVL 12

Expert Comment

ID: 8090807
I can't solve Your question about the builtin administrator, but how about to make a note about the administrators SID, just after installing Your workstations. I only know about SID 500 for LocalAdministrator.

But I have written a freeware-tool, that reports Your number 1, 5 and 6 questions.

You, (and everybody else) can download it from:


I hope this will help You.

Many Regards
Jorgen Malmgren


Expert Comment

ID: 8093870
Administrators (IE: a USER not a group like domain admins or ADMINISTRATORS) always have the "500".


Expert Comment

ID: 8093874
This MSKB article may help:

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

LVL 86

Accepted Solution

oBdA earned 750 total points
ID: 8095703
Hi David,

try the script below; but as usual: use it at your own risk, test it thoroughly before applying it etc. The script only uses MS standard tools, so it should be safe, but, hey, we're talking computers here.

You're already using cusrmgr, so you should have the resource kit; the script needs addusers.exe, getsid.exe, and cusrmgr.exe and should run on NT4, W2k and XP (I tested it in a workgroup on W2k against an NT4 test client). It relies on the builtin system administrator account RID of 500, but this should always be the case, as this administrator account can not be deleted and not be removed from the local administrators group. (If the built in account can not be determined that way, the script does no changes to the system.)
It takes either a remote machine name as a single argument, or "/L" as the first argument and a file with a list of computer names (one name per line) as the second argument, so you can process a bunch of machines at once.
It will print the results on the screen and create a ";"-separated logfile as well that you can import into Excel or whatever. (Careful when running the script twice: it will make no backup of the former log file, it will just overwrite it without warning!) The log file lists the machine name, the local administrator accounts and their SIDs, the builtin administrator account, other members of the local administrator group (well, it should list them, but I have no domain at hand right now for really testing this ...), and the return codes of the "rename" and the "change password" process. The administrator lists are ","-separated.
For testing purposes, you can create a new administrator account on a test client, run the script in test mode to find out about the SID, and then change the RID in the script to the one of the test account, so that you only manipulate this (that's how I tested it); note that (as an additional precaution) the RID is set to "xxx" instead of "500" in the script at the moment, so it will never find an account to change.
Please note, too, that the script is in test mode right now; set "Test" to an empty string to actually do the changes; while it is in test mode, it will do everything as usual, but it will not change the name or the password.
Check out if the name of the administrator group is correct and adjust it to your localized name.
(Oh, and if you have a lot of local accounts, the script might run into a length limitation.)
If it doesn't suit your needs, it should at least give you enough inspiration for another solution. ;)

@echo off
rem *** renbiadmin.cmd
rem *** Renames the built in administrator account of the specified machine and changes the password.
rem *** Necessary external tools: addusers.exe, getsid.exe, cusrmgr.exe
rem *** New name of the builtin administrator account:
set NewAdmin=LocalAdmin
rem *** New password of the builtin administrator account:
set NewPassword=Secret
rem *** Test mode:
rem *** "set Test=echo" (without quotation marks) for testing purposes,
rem *** "set Test=" (without quotation marks) to get serious
rem *** in test mode, it will do everything as usual, but it will neither
rem *** rename the account(s) found nor change the password.
set Test=echo
rem *** Builtin System Administrator RID (Default: 500):
set BIAdminRID=xxx
rem *** The name of the Local Administrators Group:
set AdminGroup=Administrators
rem *** Delimiter for addusers; this character may NOT appear in the description of the Local Administrators Group!
set Delim=~
rem *** path and name of the log file:
set LogFile=renbiadmin.log
rem *** some temp file, gets deleted afterwards
set TempFile=%Temp%\renbiadmin.tmp

if %1.==. goto leave
(echo Machine Name;Local Admins;Builtin Admin;Other Admins;Return Code "Rename";Return Code "New Password")>"%LogFile%"
echo ======================================================================
if /i not %1.==/L. goto process
if %2.==. goto leave
for /f %%a in (%2) do call :process %%a
goto leave

set Machine=%1
set LocalAdmins=
set BuiltinAdmin=
set OtherAdmins=
rem *** Get the target machine's local accounts:
addusers /d "%TempFile%" /s:%Delim% \\%Machine% >NUL
rem *** Filter the Local Administrators Group:
for /f "tokens=1,2* delims=%Delim%" %%a in (%TempFile%) do if "%%a"=="%AdminGroup%" set TempAdmins=%%c
del %TempFile%
rem *** Check the local administrators for the built in account:
for /f "tokens=1* delims=%Delim%" %%a in ("%TempAdmins%") do (
  set CheckAdmin=%%a
  set TempAdmins=%%b
  call :FindBuiltIn
if not "%TempAdmins%"=="" goto CheckAdmins

rem *** Check if the builtin account was found:
if "%BuiltinAdmin%"=="" (
  set BuiltinAdmin=[Undetermined]
  set RCRename=[skipped]
  set RCNewPass=[skipped]
  goto log

rem *** Check if the builtin account already has the correct name:
if /i "%BuiltinAdmin%"=="%NewAdmin%" (
  set RCRename=[skipped: name ok]
  goto ChangePass
rem *** Rename the builtin account and save the return code:
set RCRename=
for /f "tokens=2 delims=:" %%a in ('%Test% cusrmgr -u %BuiltinAdmin% -m \\%Machine% -r %NewAdmin% ^| find /i "ERROR"') do set RCRename=%%a
if "%RCRename%"=="" set RCRename=0

rem *** Check if renaming was successful:
if %RCRename% GTR 0 (
  set RCNewPass=[skipped: couldn't rename]
  goto log
rem *** Change the password and save the return code:
set RCNewPass=
for /f "tokens=2 delims=:" %%a in ('%Test% cusrmgr -u %NewAdmin% -m \\%Machine% -P %NewPassword% ^| find /i "ERROR"') do set RCNewPass=%%a
if "%RCNewPass%"=="" set RCNewPass=0
goto log

rem **********************************************************************
rem *** Subroutine:
rem *** Check if the account to be tested is a local one:
for /f "tokens=1,2 delims=\" %%a in ("%CheckAdmin%") do (
  set CheckDomain=%%a
  set CheckAdmin=%%b
rem *** if it's not a local one, save it and return:
if /i not %CheckDomain%==%Machine% (
  set OtherAdmins=%OtherAdmins%,%CheckDomain%\%CheckAdmin%
  goto :eof

rem *** Get the administrator's SID of the remote machine:
for /f "tokens=7 skip=2" %%a in ('getsid \\%Machine% %CheckAdmin% \\%Machine% %CheckAdmin%') do set SID=%%a
set TempSID=%SID%
rem *** Get the Relative Identifier:
for /f "tokens=1* delims=-" %%a in ("%TempSID%") do (
  set RID=%%a
  set TempSID=%%b
if not "%TempSID%"=="" goto GetRID
set LocalAdmins=%LocalAdmins%,%CheckAdmin% {%SID%}
if %RID%==%BIAdminRID% set BuiltinAdmin=%CheckAdmin%
goto :eof
rem **********************************************************************

set LocalAdmins=%LocalAdmins:~1%
if "%OtherAdmins%"=="" set OtherAdmins=,[None]
set OtherAdmins=%OtherAdmins:~1%
(echo %Machine%;%LocalAdmins%;%BuiltinAdmin%;%OtherAdmins%;%RCRename%;%RCNewPass%)>>"%LogFile%"
echo Machine:       %Machine%
echo Local Admins:  %LocalAdmins%
echo Builtin Admin: %BuiltinAdmin%
echo Other Admins:  %OtherAdmins%
echo RC Rename:     %RCRename%
echo RC Password:   %RCNewPass%
echo ======================================================================

LVL 86

Expert Comment

ID: 8097418
Forgot something; merge this into the part after ":process" to make sure the remote machine is running:

set Machine=%1
set BuiltinAdmin=
set LocalAdmins=
set OtherAdmins=
rem *** check if remote machine is alive:
ping -n 1 %Machine% | find "TTL" >NUL
if errorlevel 1 (
  set Machine=%Machine% [skipped]
  set BuiltinAdmin=[skipped]
  set LocalAdmins=,[skipped]
  set OtherAdmins=,[skipped]
  set RCRename=[skipped]
  set RCNewPass=[skipped]
  goto log
rem *** Get the target machine's local accounts:

Author Comment

ID: 8285098
Although I was looking for an executable that could be pushed with SMS (to ensure that it executes on all managed machines with little/no intervention), this does the job well.  Thank you.

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…
Suggested Courses
Course of the Month12 days, 20 hours left to enroll

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question